Agencies  aim  for  better  security  audits 

A  number  of  federal  agencies,  including  the 
Defense  Department,  are  proposing  new 
measures  to  evaluate  network  security. 

Page  11. 
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WORLD  CONGRESS 


Mobile  World  Congress  recap 

Android  largely  MIA,  Windows  resurgent, 
LTE  elicits  yawns.  Page  12. 


team  on 
virtualization 

Microsoft  and  Red 
Hat  are  working  to 
ensure  customers 
can  get  cross- plat¬ 
form  support  for 
applications  running 
in  virtualized  envi¬ 
ronments.  Page  13. 


To  patch  DNS  or 
not,  that  is  the 
question 

Security  researcher 
Dan  Kaminsky  told 
the  Black  Hat  con¬ 
vention  that  organi¬ 
zations  have  been 
slow  to  react  despite 
bug.  Page  32. 


£  ITRoadmap 

Upcoming  ITR 

One-day  IT  event  is 
coming  to  a  city  near 
you! The  event  fea¬ 
tures  10  IT  tracks; 
vendor  expo;  peer 
case  studies. 
Network  World's  ITR 
visits  Chicago, 
Boston  and  Atlanta 
in  2009.  Register  at: 
www.nwdocfind- 
er.com/8728 


Virtual 
desktops 
ready  for 
takeoff? 

BY  JON  BRODKIN 

Desktop  virtualization,  with  its 
promises  of  improved  security, 
manageability  and  flexibility, 
may  be  on  the  verge  of  huge 
adoption,  some  experts  predict. 

But  as  with  many  new  tech¬ 
nologies,  there  is  a  catch.  ROl  is 
one  of  the  main  selling  points, but 
desktop  virtualization  requires 
significant  upfront  costs  and  it 
can  take  three  or  four  years  to 
realize  financial  rewards. 

“I  see  huge  interest  right  now, 
for  many  reasons,”  says  Forrester 
Research  analyst  Natalie  Lam¬ 
bert.  “But  the  challenge  is  that 
desktop  virtualization  is  a  very 
costly  endeavor.  I  don’t  care  what 
people  tell  you  otherwise,  they’re 
wrong.” 

Gartners  latest  numbers  predict 
that  hosted  virtual  desktop  rev¬ 
enue  will  quadruple  this  year, 
going  from  $74.1  million  world¬ 
wide  in  2008  to  nearly  $300  mil¬ 
lion  in  2009. 

A  survey  of  340  IT  managers 
found  that  41%  are  already  in¬ 
vesting  in  desktop  virtualiza¬ 
tion,  and  that  the  technology  is 

See  Virtualization,  page  14 


Juniper  SRX  5800: 
Biggest  firewall  ever 

But  tests  show  issues  with  IPS,  management 

BY  DAVID  NEWMAN  AND  JOEL  SNYDER,  NETWORK 
WORLD  LAB  ALLIANCE 

If  the  Guinness  Book  of  World  Records  had  an  entry  for 
“biggest  firewall  ever’’ Juniper’s  SRX  5800  would  qualify 

In  our  exclusive  Clear  Choice  test,  this  hulking  brute  of  a 
machine  sped  traffic  at  rates  approaching  140Gbps  through 
its  16  lOGigabit  Ethernet  interfaces,  making  it  by  far  the  largest 
and  fastest  firewall  anyone  has  ever  tested. 

But  “biggest”  isn’t  the  same  as  “most  capable.”  For  example, 
enabling  intrusion  prevention  caused  forwarding  rates  to 
drop  to  30Gbps,even  when  handling  benign  traffic. 

And  there  were  issues  with  security  policy  management. 

The  Network  and  Security  Manager  (NSM)  appliance  Juniper 
supplied  doesn’t  yet  accept  security  alerts  from  the  SRX.  In 
other  words,  it’s  a  security  management  platform  that  won’t 
say  how  or  even  whether  the  network  is  under  attack. 

As  a  firewall, the  SRX/NSM  combo  is  fine, even  for  managers 
of  the  very  largest  networks.  But  because  of  the  lack  of  secu¬ 
rity  alerts  and  some  serious  usability  drawbacks  in  the  NSM, 
we  can’t  yet  recommend  the  system  as  a  combined  fire- 
wall/intrusion-prevention  system  (IPS). 

See  Juniper,  page  16 
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When  configured  as 
a  firewall.  Juniper’s 
SRX  5800  forwarded 
traffic  at  nearly 
140Gbps. 
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with  AppRiver  Exchange  Hosting. 
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Let's  leave  the  hardware  where  it  is. 


A  software -based  VoIP  solution 


from  Microsoft  is  a  whole  new  way 
to  look  at  telephony. 

As  it  turns  out,  that  important 
move  to  VoIP  isn't  about  ripping  and 
replacing  or  big,  upfront  costs.  That's 
se  it's  no  longer  about  hardware. 
It's  actually  about  software. 

That's  right.  Keep  your  hardware — 
your  PBX,  your  gateways,  even  your 
phones.  Add  software.  Software  that 
integrates  with  Active  Directory,® 
Microsoft®  Office,  Microsoft  Exchange 
Server,  and  your  PBX.  Simply  maximize 
your  current  PBX  investment  and  make 
it  part  of  your  new  software-based 
VoIP  solution.  ;  v 
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What  you  have  with  the  right 


at  rnicrosoft.com/voip 
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SECURITY  NOTICE 


RESTRICTED 
AREA 
KEEP  OUT 


NO  TRESPASSING 


•  Secures  your  network  against  attacks  such  as 
worms,  viruses,  spyware,  keyloggers,  Trojan 
horses,  rootkits  and  hackers 

•  Delivers  secure  remote  access  to  authenticated 
users  on  managed  and  unmanaged  endpoints 

•  Combines  feature-rich  VPN  connectivity  with 
comprehensive  threat  defense  to  deliver 
cost-effective  remote  network  access 

•  Bundle  includes  10-user  license,  8-port  Fast 
Ethernet  switch,  stateful  firewall,  10  IPsec  VPN 

;;  peers,  2  SSL  VPN  peers,  3DES/AES  license  and 
1  expansion  slot 

•  •<*  . ,  vV 
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$41499 


CDW  1065037 


SonicWALL®  Network  Security 
Appliance  (NSA)  2400 


>  Utilizes  a  multi-core  hardware  design  and  patented, 
reassembly-free  DPI  with  6GbE  interfaces 
»  Delivers  real-time  network  protection  without 
compromising  performance 
»  Provides  threat  prevention,  rapid  deployment  and 
lowered  total  cost  of  ownership 
»  Combines  high-speed  intrusion  prevention,  file  and 
content  inspection,  and  powerful  application  firewall 
capabilities  with  an  extensive  array  of  advanced 
network  and  configuration  flexibility  features 
•  Accessible,  affordable  platform  that  is  easy  to 
deploy  and  manage 


$1936" 


CDW  1464508 
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i ;  We're  there  with  the  security  solutions  you  need. 


ifrreats.  won't  get  on  your  network  if  they  can't  get  to  the  network.  That's  why  gateway  security  is 
^;,  SQ|rHqrtarit.  CDW  has  a  wide  selection  of  top-name  firewall  protection,  antivirus,  antispyware,  intrusion 
pre^btion  Jand  more.  Our  personal  account  managers  along  with  our  highly  trained  technology  specialists 

"tJSS:  hat'iit  IH&inWrtv  a  ti/Mi  nAArl  +a  Anri  1  rr\  waiii*  nAh»/Arl/  ir  Ta r+ifiArl  inri  f nn  ita  C a  / — >11  (~ A /  Anri 


-elW^ite  tfir^ats  before  they  even  become  threats. 


Trend  Micro M  OfficeScan  ” 
Client/Server  Edition  8.0 


expertise  you  need  to  ensure  your  network  is  fortified  and  secure.  So  call  CDW  today.  And 
i  threats  before  they  even  become  threats. 

CDW.com  800.399.4CDW 


feiji  minimum  purchase  of  five  licensed;  includes  1  -year  Maintenance  (12x5  telephone  and  online  technical  support,  virus  pattern  updates  and 
upgfadftsX  Offer  subject  tojCDW's  standard. terms  and  conditions  of  sale,  available  at  CDW.com.  ©2009  CDW  Corporation 


1  Preserves  business  productivity  by  providing 
security  against  Web  and  blended  threats 
1  Prevents  identity  theft,  network  downtime, 
data  loss  and  compliance  violations 
1  Lowers  IT  costs  with  centralized  management 
and  tight  integration  with  Windows®  OS 


51-250  user  license  with  1-year  Maintenance1 
$42.99  CDW  1234828 
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■  BodyGuardz  makes  protecting 
mobile  devices  from  scratches  more 
work  than  it’s  worth. 

See  Cool  Tools,  page  22. 
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Man  Productions,  keeps  track  of  BlackBerries 
with  AppRiver  Exchange  Hosting. 


GOODBADUGLY 


Broadband  over  powerline 
to  the  rescue 

IBM  has  started  building  broadband 
over  powerline  networks  that  it  says 
could  provide  broadband  connectivity  to 
200,000  people  living  in  rural  areas.  IBM 
is  building  out  the  BPL  networks  as  part 
of  a  $9.6  million  deal  that  it  signed  last 
year  with  broadband  provider 
International  Broadband  Electric 
Communications  to  expand  broadband 
access  to  people  in  rural  areas  that  only 
have  access  to  dial-up  services. 


CVS  pays  price  for 
privacy  failures 

The  largest  phar¬ 
macy  chain  in  the 
U.S.,  CVS 
Caremark,  has 
settled  Federal 
Trade 

Commission 
charges  it 
failed  “to 
reasonable 
and  appropri¬ 
ate  security  mea^ 
sures  to  protect  the 
and  medical  information 
tomers  and  employees,”  in  violation  of 
federal  law.  In  a  separate  but  related 
agreement,  the  company's  pharmacy 
chain  also  has  agreed  to  pay  $2.25  mil¬ 
lion  to  resolve  Department  of  Health 
and  Human  Services  allegations  that  it 
violated  the  Health  Insurance 
Portability  and  Accountability  Act.The 
FTC  opened  an  investigation  after 
numerous  reports  from  around  the 
country  said  CVS  pharmacies  were 
throwing  trash  into  open  dumpsters 
that  contained  pill  bottles  with  patient 
names,  addresses,  prescribing  physi¬ 
cians’  names,  medication  and  dosages. 


Conficker  worm  gets  an  evil  twin 

The  criminals  behind  the  widespread 
Conficker  worm  have  released  a  new 
version  of  the  malware  that  could  signal 
a  major  shift  in  the  way  the  worm  oper- 
ates.The  new  variant,  dubbed  Conficker 
B++,  was  spotted  three  days  ago  by 
SRI  International  researchers. To  the 
untrained  eye,  the  new  variant  looks 
almost  identical  to  the  previous  version 
of  the  worm,  Conficker  B.  But  the  B++ 
variant  uses  new  techniques  to  down¬ 
load  software,  giving  its  creators  more 
flexibility  in  what  they  can  do  with 
infected  machines.  Conficker- infected 
machines  could  be  used  for  nasty  stuff 
—  sending  spam,  logging  keystrokes  or 
launching  denial-of-service  attacks,  but 
an  ad  hoc  group  calling  itself  the 
Conficker  Cabal  has  largely  prevented 
this  from  happening. 
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PEERSAY 


The  stimulus-cable  connection 

Re:  Stimulus  bill  aims  for  ‘national  broad¬ 
band  plan’  (www.nwdocfinder.com/8826):  My 
local  broadband  is  a  company  with  a  name 
derived  from  a  running  bird  that  has  a  monop¬ 
oly  in  my  town.Their  service  and  quality  stinks 
beyond  description.  But,  now  I  am  secure  in 
the  knowledge  that  my  tax  dollars  will  go  to 
pay  for  someone  else’s  [crummy]  broadband. 

You  know,  the  Pilgrims  at  least  had  the  option 
of  moving  to  a  country  where  they  would  be 
free  from  tyranny  Alas,  today  the  Earth  is  full  — 
nowhere  to  go.  See  you  in  the  refugee  camp 
someday,  after  our  currency  is  worthless  and 
our  major  cities  are  smoking  radioactive  ruin. 

Steve 

Fending  off  overage  charges 

Re:  The  case  for  flat-rate  services 
(www.nwdocfinder.com/8827):  When  con¬ 
fronted  with  financial  risk  and  gouging  like 
this,  enterprises  are  now  choosing  to  “just  say 
no”  and  wait  out  our  [telecom]  operators. 
When  we  did  the  analysis  on  the  iPhone,  we 
prevented  adoption  due  to  international  data 
roaming  charge  structure.  Last  week  we  finally 
received  the  unlimited  international  roaming 
plan.  IPhones  are  now  going  to  be  available  for 
our  employees  and  the  lesson  is:  wait  out  the 
operators  as  they  actually  do  need  to  generate 
revenue. 

For  data  cards  with  these  killer  overage 
charges,  if  we  don’t  simply  ban  their  adoption, 
we  are  demanding  that  the  gigabytes  of  data 
be  pooled  like  our  voice  minutes  are.  Our 
response  to  “the  billing  platform  doesn’t  do 
that”  has  been  “please  let  us  know  when  it  does 
and  we’d  love  to  talk.” 

Not  buying  the  product  is  the  only  leverage 
we  have. 

TelecomType 

A  better  way  for  Microsoft  to 
spend  its  money 

Re:  Microsoft  announces  $250,000  Conficker 
worm  bounty  (www.nwdocfinder.com/8829): 

A  $250,000  reward  to  bring  the  “bad  guys”  to 
justice,  huh?  How  about  spending  $250,000  on 
open-sourcing  the  Windows  TCP/IP  stack  so 
somebody  can  fix  the  holes?  How  about 
spending  $250,000  on  grafting  a  BSD  network 


stack  underneath  Windows,  like  MacOSX  did? 

If  bad  guys  are  people  who  cause  grief  to 
Windows  users,  wouldn’t  the  authors  of  this 
lousy  code  be  more  bad  than  those  who  point 
out  how  bad  the  code  is?  Remember  the  ping 
of  death,  where  sending  a  jumbo  packet  to 
Windows  caused  an  OS  crash?  This  is  the  same 
stack,  only  patchier.  Wheeeeeeee! 

Financial  adviser 

Healthcare  records  reform 
is  huge 

Re:  Obama's  Electronic  Health  Records  ini¬ 
tiative  could  usher  in  a  new  wave  of  ID  theft 
(www.nwdocfinder.com/8830):  I  work  in  the  IT 
department  of  a  healthcare  system  serving  five 
hospitals  and  multiple  physician's  offices.  We 
have  three  of  the  five  hospitals  on  EMR  now 
and  are  moving  more  in  that  direction.  It  is  a 
huge  undertaking  and  requires  more  than  just 
software,  but  an  entire  assessment  of  the  infra¬ 
structure  and  large  amounts  of  user  training  ... 
and  that’s  just  for  our  little  piece  of  this  huge 
puzzle.  However,  it  definitely  is  worth  it  when  it 
comes  to  reducing  costs  and  mistakes. 

My  idea  would  be  some  kind  of  a  clearing¬ 
house,  a  third  party  similar  to  that  which  han¬ 
dles  the  transfer  of  mobile  phone  numbers 
from  one  company  to  another. Then,  hospitals 
and  physicians  would  be  free  to  use  whatever 
software  makes  sense  for  them,  as  long  as  they 
are  able  to  upload  the  patient’s  record  in  a 
common  format  (probably  XML  or  some  other 
standard  format). Then,  when  a  request  comes 
in  for  that  patient’s  record  through  the  third 
party  the  hospital  or  physician  uploads  the  file 
in  that  format  to  the  clearinghouse,  which  is 
responsible  for  verifying  the  validity  of  the 
request  from  the  other  side.  The  other  side, 
once  cleared,  downloads  the  file  and  then  is 
responsible  for  translating  it  into  whatever  for¬ 
mat  their  system  uses.This  way  we  wouldn’t  be 
opening  up  our  systems  to  every  single  other 
hospital  or  doctor’s  office. 

Redwarrior 

E-mail  letters  to  jdix@nww.com  or  send  them 
to  John  Dix,  editor  in  chief,  Network  World,  492 
Old  Connecticut  Path,  Framingham,  MA  01 701- 
9002.  Please  include  phone  number  and  address 
for  verification 
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Unlimited 

Email 


low  Cost  Private  jabel 

Domain  Names  -  Branding 


100  • 

Online  Control 


US  Based  24/7  Technical 
Data  Center  Support 


The  Flexible  One-Stop  Reseller  Hosting  Package 


Start  Making  Money  Today  at 

www.fasthosts.com 

Toll  Free  1-877-440-5515 
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MOBILE  WORLD  CONGRESS: 


MOBILE  WORLD  CONGRESS: 


MOBILE  WORLD  CONGRESS: 


Solar-powered 
phones  shine 

At  Mobile  World 
Congress  this  year 
Samsung  and  LG 
showed  off  prototype 
cell  phones  that  can  be 
recharged  by  solar  pan¬ 
els  built  into  the  case. 

www.nwdocfinder.com/8838 


Samsung  puts  pro¬ 
jector  into  cell 
phone 

Samsung  has  partnered 
with  Texas  Instruments 
to  create  a  mobile 
phone  with  an  embed¬ 
ded  projector. 

www.nwdocfinder.com/8839 


HTC  launches  two 
Touch  devices 

HTC  launched  the 
Touch  Pro  2  and  Touch 
Diamond  2  at  last 
week’s  Mobile  World 
Congress  show  in 
Barcelona,  Spain. 

www.nwdocfinder.com/8840 


BEST  OF  NWW’S 

NEWSLETTERS 


Stimulus  bill  aims  for  ‘national 
broadband  plan’ 


I BLOGOSPHERE 


H  An  interview  with  Microsoft  UC  GM 
Betsy  Frost.  Alex  Lewis  writes  in  his 
Windows  into  Silicon  Valley  blog:  “I  had  a 
chance  to  sit  down  with  Betsy  Frost,  general 
manager  for  Microsoft  unified  communica¬ 
tions,  at  VoiceCon  SF  2008  ...  For  those  who 
missed  VoiceCon,  Betsy  gave  one  of  the 
keynotes  and  focused  on  the  value  from  uni¬ 
fied  communications.  ...  UC  is  without  a 
doubt  the  future  and  vendors  not  embracing  a 
converged  strategy  are  sure  to  be  at  a  severe 
disadvantage.  During  our  chat,  Betsy 
stressed  UC  as  a  significant  cost  saving 
measure  and  that  Microsoft's  internal  IT 
operations,  (Microsoft  Information 
Technology  —  MSIT)  expects  to  save  $10 
million  a  year  in  reduced  travel  and  improved 
efficiencies." 

www.nwdocfinder.com/8832 

■  Gears  is  an  enticing  target  for  hack¬ 
ers.  The  Google  Subnet  blog  reports:  "The 
current  trend  toward  enabling  browsers  to 
store  more  and  more  data  —  via  not  only 
cookies,  but  also  Flash  and  Google's  new 
Gears  technology  —  is  a  ripe  invitation  to 
hackers.  And  since  Gears,  Google's  technol¬ 
ogy  for  enabling  offline  access  to  online  data, 
stores  entire  databases  of  information,  it’s 
the  prime  candidate  for  concerted  malicious 
attacks  —  at  least  according  to  security 
researcher  Michael  Sutton,  who  presented  at 
last  week’s  Black  Hat  2009  conference. 
According  to  this  report  on  internet- 
news.com,  Sutton  says  that  cookies  are  sus¬ 
ceptible  to  client-side  cross-scripting 
attacks  that  could  let  insecure  cookies  from 
one  site  read  the  cookies  from  another.  The 
good  news  is  that  cookies  are  not  that  big  a 
target,  since  they  are  fairly  limited  in  the 
amount  of  data  they  can  hold.” 
www.nwdocfinder.com/8833 

SB  Apple  toys  with  idea  of  tiered  pricing 
for  the  iPhone.  Yoni  Heisler  writes  in  his 
iOnApple  blog:  “As  it  stands  now,  the  data 
plan  required  for  iPhone  users  stands  as  a 
significant  barrier  to  entry  fora  large  number 
of  consumers,  a  situation  only  exacerbated  in 
the  current  economic  climate.  While  Apple 
CEO  Tim  Cook  has  openly  stated  that  Apple 
would  not  enter  the  low-end  phone  market,  a 
cheaper  data  plan  could  be  an  alternative  that 
Apple  would  be  willing  to  consider  in  order  to 
drive  up  demand.  Of  course,  Apple  isn't  oper¬ 
ating  alone,  and  any  thoughts  of  adjusting 
iPhone  pricing  would  most  certainly  be  the 
topic  of  serious  discussions  between  Apple 
and  AT&T.  Keep  in  mind  that  AT&T  subsi- 
dizies  every  iPhone  sold,  but  makes  up  that 
cost  over  the  duration  of  a  two-year  sub¬ 
scription.'  www.nwdocfinder.com/8834 


LANs:  The  U.S.  economic  stimulus  package 
is  law  —  $787  billion  of  it  —  and  $7.2  bil¬ 
lion  has  been  set  aside  for  improvements 
to  the  nation’s  broadband  infrastructure. 
Let’s  take  a  closer  look  at  what  that  means. 

I  should  note  up  front  that  there  was  much 
debate  about  what  should  be  in  the  bill, 
and  some  critics  said  that  getting  more 
competition  into  the  picture  to  bring  down 
prices  might  be  the  better  way  to  go.  The 
final  version  sets  aside  $2.5  billion  of  the 
total  $7.2  billion  for  the  “Distance 
Learning, Telemedicine  and  Broadband 
Program.”  Right  off  the  bat,  it’s  interesting, 
because  you  can  see  that  we’re  not  just 
talking  about  broadband  per  se  —  the  gov¬ 
ernment  has  two  applications  (distance 
learning  and  telemedicine)  in  mind. 
www.nwdocfinder.com/8821 

Tech  exec:  Are  you  a  fan  of  old  radio  and 
television  shows?  Do  you  appreciate  the 
historical  value  of  original  news  reels  of 
speeches  by  John  F  Kennedy,  Richard  Nixon 
and  Martin  Luther  King  Jr.?  If  you’re  tired  of 
the  endless  drivel  on  YouTube,  then  why  not 
listen  to  or  view  real  history  on  www.muse- 
um.tv?  This  fascinating  Web  site  is  brought 
to  you  by  the  Museum  of  Broadcast 


Communications.  The  streaming  media  is 
made  possible  by  unique  storage  technolo¬ 
gy  from  Cleversafe.  Bruce  DuMont  is  the 
president  and  founder  of  the  museum. 
DuMont  spent  much  of  his  career  as  a  televi¬ 
sion  producer.  One  day  at  work  he  discov¬ 
ered  a  treasure  trove  of  newsreels  and  tapes 
of  broadcasts  of  great  historical  value. 
www.nwdocfinder.com/8822 

Network  management:  Regardless  of 
the  source,  the  news  is  the  same:  the  econ¬ 
omy  has  most  companies  cutting  costs  and 
many  reducing  workforce,  or  at  the  very 
least,  demanding  more  from  existing 
resources.  Keeping  networks  humming 
along  smoothly  is  challenging  in  the  best 
circumstances,  but  under  the  conditions  of 
fewer  budget  dollars  and  overloaded 
staffers,  the  degree  of  difficulty  for  the  job 
is  exponentially  increased.  Network  man¬ 
agement  vendor  Netcordia  recently  polled 
450  network  administrators  to  learn  more 
about  their  biggest  worries  in  the  face  of 
an  ongoing  recession.  In  December  2008, 
the  vendor  asked  customers  a  handful  of 
questions  ranging  from  network  availability 
to  potential  workforce  reductions. 
www.nwdocfinder.com/8823 
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IBM  System  x3350  Express 
$1,849 


OR  $48/  MONTH  FOR  36  MONTHS1 

Stop  doing  those  routine  tasks  that  tie  you  up  for  hours. 
IBM  System  x3350  Express  monitors  your  infrastructure 
from  a  single  point  of  control.  Proactively  identifies 
potential  problems.  And  helps  you  solve  them  quickly. 
Let  System  x  servers  take  on  more  routine  tasks,  so  you 
can  take  on  more  challenges. 

From  the  people  and  Business  Partners  of  IBM. 

It’s  innovation  made  easy. 


THE  SERVER  THAT  PRACTICALLY  MANAGES  ITSELF. 


PN:  4193E2U 

Featuring  Intel®  Xeon®  Processors  X3330  (2.66  GHz/1333  MHz),  6  MB 
L2  QC,  2x2  GB,  open  bay  SAS  2.5"  HS 

Predictive  Failure  Analysis  and  Light  Path  Diagnostics;  redundant,  hot- 
swappable  power  supplies  and  fans;  and  up  to  4  hard  disk  drives 

3-year,  next  business  day,  on-site  limited  warranty2 

> 


IBM  has  more  ways  to  help  you  get  more  done. 

IBM  SYSTEM  STORAGE  DS3200  EXPRESS  $4,495  OR  $117/  month  FOR  36  MONTHS1 

PN:  172621 X 

Up  to  six  3.5"  SAS  or  SATA  HDDs  or  up  to  eight  2.5"  SAS  HDDs  and  internal  tape  backup  option 
for  storage  protection 

Integrated  RAID  capability,  -0,  -1  and  -1.0;  RAID-5  optional 

Comes  with  a  3-year  on-site  limited  warranty2  on  parts  and  labor.  3-year  24x7  on-site  repair 
(PN:  21 P2078)  with  a  4-hour  response  is  available  for  an  additional  $600 


IBM  Express  “Bundle  and  Save” 

We  bundle  our  Express  systems  to  give  you  the  accessories  you 

=  ~=  express 

-i"=-=-="=-  advantage™ 

neea  -  wniie  Saviny  you  rriuritjy  un  ine  riaiuwctic  yuu  want. 

Act  now.  Available  through  ibm.com  and  IBM  Business  Partners. 

ibm.com/systems/simplifyit  : 

1  866-872-3902  (mention  6N8AH14A) 

1  IBM  Global  Financing  offerings  are  provided  Ibrougb  ISM  Credil  LLC  in  die  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers.  Monthly  payments  provided  are  for  planning 
purposes  only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  offer  provided  is  based  on  an  FMV  lease  of  36  monthly  payments.  Other  restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice 
2.  IBM  hardware  products  are  manufactured  from  new  parts,  or  new  and  serviceable  used  parts.  Regardless,  our  warranty  terms  apply.  For  a  copy  of  applicable  product  warranties,  visit:  ibm.com/servers/support/machine.  warranties  or  write  to:  Warranty 
information.  P.0.  Box  12195,  RTP.  NC  27709.  Atm:  Dept.  JDJA/8203.  IBM  makes  no  representation  or  warranty  regarding  third-pan.y  products  or  services,  including  those  designated  as  ServerProven*  or  ClusterProven*  Telephone  support  may  be  subject 
to  additional  charges.  For  on-site  labor,  IBM  will  attempt  to  diagnose  and  resolve  the  problem  remotely  before  sending  a  technician.  On-site  warranty  is  available  only  tor  selected  components.  Optional  same-day  service  response  is  available  on  (select) 
systems  at  an  additional  charge. 

IBM,  the  IBM  logo,  IBM  Express  Advantage,  System  x  and  System  Storage  are  trademarks  ot  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  For  a  complete  list  of  IBM  trademarks,  see  www.ibm  com/iegalycopytrade. 
shtml.  Intel  and  Xeon  are  registered  trademarks  of  Intel  Corporation.  All  other  products  may  be  trademarks  or  registered  trademarks  of  their  respective  companies.  All  prices  and  savings  estimates  are  based  upon  IBM's  estimated  retail  selling  prices  as 
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Citrix  sets  hypervisor  free, 
unveils  mgmt.  platform 

Citrix  on  Monday  is  making  its  core  virtualization  platform  free,  and  announc¬ 
ing  an  enhanced  partnership  with  Microsoft  to  promote  interoperability 
between  Citrix’s  XenServer  hypervisor  and  Microsoft’s  Hyper-V  software. 
XenServer,  which  previously  cost  $3,000  per  server,  will  be  given  away  free  and 
embedded  in  Citrixs  XenApp  application  delivery  software,  according  to  Simon 
Crosby,  CTO  of  Citrixs  virtualization  division.  While  XenServer  won’t  cost  a  dime, 
Citrix  is  introducing  a  product  line  called  Essentials  that  will  come  at  a  price  but 
provide  advanced  virtualization  management  capabilities  for  both  XenServer  and 
Microsoft’s  Hyper-V  Citrix  Essentials  will  allow  virtual  machines  running  on 
XenServer  to  be  moved  over  to  servers  virtualized  with  Hyper-V  and  vice  versa. 
The  software  will  also  include  automated  lab  and  life-cycle  management  for  vir¬ 
tual  machines,  giving  users  self-service  access  to  virtualized  server  resources. 
Essentials  will  cost  $1,500  to  $5,000  per  server,  www.nwdocfinder.com/8841 


HP  cuts  pay,  benefits  after  poor  finan¬ 
cials.  HP  is  reducing  base  pay  and  some 
benefits  across  the  company  in  the  wake  of 
disappointing  earnings  and  in  an  attempt  to 
stave  off  mass  layoffs,  chairman  and  CEO 
Mark  Hurd  said  last  week.  Hurd  will  cut  20% 
of  his  base  pay  while  members  of  the 
Executive  Council  will  see  their  base  salaries 
reduced  by  15%.  Other  executives  will  experi¬ 
ence  10%  reductions  in  base  pay  and  the 
base  pay  of  all  other  exempt  employees  will 
be  reduced  by  5%,  according  to  Hurd’s  inter¬ 
nal  memo.  Reducing  headcount  on  par  with 
declining  revenue  could  equate  to  20,000  lost 
jobs,  Hurd  said,  but  instead  HP  opted  to  “stabi¬ 
lize  our  cost  structure”  by  reducing  pay  and 
cutting  other  costs.“I  don’t  believe  a  major 
workforce  reduction  is  the  best  thing  for  HP  at 
this  time,”  Hurd  said  in  the  letter.  As  for  its  fis¬ 
cal  first  quarter  2009  results,  HP  reported  net 
revenue  reached  $28.8  billion,  up  1%  com¬ 
pared  with  the  same  period  last  year.  Net 
income  came  in  at  $1.9  billion,  down  from 
$2. 1  billion,  www.nwdocfinder.com/8842 

Microsoft  wins  motion,  loses  one  in 
Vista  Capable  case.  Microsoft  won  a 
motion  to  end  the  class-action  status  of  the 
Windows  Vista  Capable  lawsuit  last  week, 
but  lost  a  motion  that  could  have  ended 
the  suit  without  a  trial. The  motion  to  end 
the  class-action  status  of  the  lawsuit  means 
the  plaintiffs  will  have  to  sue  Microsoft  indi¬ 
vidually,  instead  of  as  a  group  that  could 
have  drawn  in  potentially  thousands  of 
other  consumers  who  felt  wronged  by  the 
issue. The  case  centers  on  claims  that 
Microsoft  misled  computer  buyers  with  the 
Vista  Capable  advertising  campaign  nearly 
a  year  prior  to  the  release  of  the  operating 
system.  Plaintiffs  argue  they  overpaid  for 
computers  because  of  the  Vista  Capable 
campaign  and  that  the  PCs  they  bought 


could  only  run  the  lowest-priced  version  of 
Vista,  Home  Basic.“We’re  pleased  that  the 
court  granted  our  motion  to  decertify  the 
class,  leaving  only  the  claims  of  six  individ¬ 
uals,”  said  David  Bowermaster,  a  Microsoft 
spokesperson,  in  an  e-mail. “We  look  for¬ 
ward  to  presenting  our  case  to  the  jury, 
should  the  plaintiffs  elect  to  pursue  their 
individual  claims.” 
www.nwdocfinder.com/8843 

Trustwave  buys  NAC  vendor  Mirage. 

Managed  security  provider  Trustwave  bought 
independent  network  access  control  vendor 
Mirage  Networks  and  will  add  NAC  to  the  list 
of  services  Trustwave  provides.  Initially  the 
company  will  support  NAC  by  installing 
Mirage  NAC  appliances  at  customer  sites  and 
managing  them  remotely  the  company  says. 
Over  time,  the  Mirage  technology  will  be  inte¬ 
grated  into  Trustwave ’s  managed  security  plat¬ 
form,  a  unified  threat  management  device 
that  supports  intrusion  detection/prevention, 
antivirus  software,  e-mail  security  and  fire¬ 
walling.  Trustwave  says  it  had  been  getting 
customer  requests  for  managed  NAC  services 
but  had  no  formal  program  for  delivering 
them.  Both  companies  are  privately  held,  and 
they  did  not  disclose  the  purchase  price. 
www.nwdocfinder.com/8844 

Intel  eyes  cloud  computing  with  new 
hardware,  software.  Intel  is  making  a 
push  into  cloud  computing  with  forthcoming 
changes  in  its  Nehalem  server  line  aimed  at 
large  data-center  deployments.  Intel  hopes  to 
provide  technology  for  low-range  and 
midrange  servers  that  can  share  workloads 
effectively  if  demand  for  a  cloud  application 
spikes, said  Jason  Waxman,  general  manager 
of  high  density  computing  at  Intel.  Server 
deployments  would  depend  on  resources 
needed  by  each  cloud,  with  some  requiring 


faster  network  connections  or  more  memory 
In  addition  to  providing  servers  that  deliver 
efficient  cloud  services,  Intel  wants  the  servers 
to  be  power-efficient  and  is  developing  a 
motherboard  that  reduces  power  drawn  to  85 
watts  in  idle  compared  with  1 15  watts  for  stan¬ 
dard  Nehalem-based  boards.  A  reduction  of 
30  watts  per  server  could  save  up  as  much  as 
$8  million  in  three  years  in  a  deployment  of 
50,000  servers,  Intel  said. The  upcoming 
Nehalem-based  boards  will  use  Xeon  proces¬ 
sors  due  for  release  later  this  quarter. 
www.nwdocfinder.com/8845 

Storage  start-up  Copan  gets  $18.5  mil¬ 
lion.  Investors  have  poured  an  additional 
$18.5  million  into  Copan  Systems,  a  storage 
start-up  that  sells  inexpensive  disks  to  reduce 
the  cost  of  storing  copies  of  data.  Founded  in 
2002,  Copan  is  on  the  verge  of  reaching  prof¬ 
itability  with  160  enterprise  customers  such  as 
Comcast,  Facebook,  the  New  York  Stock 


Exchange  and  the  U.S.  government,  according 
to  CEO  Mark  Ward. The  additional  funding 
round  led  by  new  investor  Westbury  Partners 
will  help  build  out  distribution  channels  and 
bolster  the  company’s  engineering  organiza¬ 
tion  to  ensure  key  products  are  delivered  later 
this  year.“We’re  currently  an  unprofitable  com¬ 
pany  that  will  be  profitable  in  mid-year  of  this 
year, ’’Ward  says. “This  cash  will  get  us  through 
to  profitability  and  beyond.”  Copan  has  raised 
$106  million  in  five  rounds  of  financing  since 
it  was  founded  in  2002. 
www.nwdocfinder.com/8846 

Scientists  claim  big  leap  in  nanoscale 
storage.  Nanotechnology  researchers  say 
they  have  achieved  a  breakthrough  that  could 
fit  the  contents  of  250  DVDs  on  a  coin-sized 
surface  and  might  also  have  implications  for 
displays  and  solar  cells.The  scientists,  from 
the  University  of  California  at  Berkeley  and 
the  University  of  Massachusetts  Amherst,  dis¬ 
covered  a  way  to  make  certain  kinds  of  mole¬ 
cules  line  up  in  perfect  arrays  over  relatively 
large  areas.  More  densely  packed  molecules 
could  mean  more  data  packed  into  a  given 
space,  higher-definition  screens  and  more  effi¬ 
cient  photovoltaic  cells,  according  to  scien¬ 
tists  Thomas  Russell  and  Ting  Xu. The  pair  said 
they  achieved  a  storage  density  of  10Tb 
(125GB)  per  square  inch,  which  is  15  times 
the  density  of  past  solutions,  with  no  defects. 
The  technology  might  be  commercialized  in 
less  than  10  years,  if  industry  is  motivated, 
Russell  and  Xu  said. 
www.nwdocfinder.com/8847 
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Federal  agencies  push 
new  security  audits 


BY  ELLEN  MESSMER 

Some  federal  agencies  dissatisfied  with  the 
current  way  Congress  mandates  their  networks 
be  evaluated  for  security,  are  proposing  an 
approach  unveiled  Monday  that  would  encour¬ 
age  investment  in  automated  defensive  mea¬ 
sures. 

The  proposed  Consensus  Audit  Guidelines 
(CAG)  are  20  security  controls  that  begin  with 
the  concept  of  automated  inventory-taking  of 
authorized  and  unauthorized  hardware  and 
software  for  the  purpose  of  assessing  network 
security  Oriented  toward  specific  technical 
measures  that  could  be  automated,  CAG  is  an 
effort  to  gradually  shift  the  federal  agencies 
off  the  annual  security  compliance  effort 
known  as  Federal  Information  Security 
Management  Act  (FISMA),  which  Congress 
made  law  in  2003. 

“The  federal  government  FISMA  legislation 
that  federal  agencies  comply  with  has  only 
proven  to  be  partially  successful,”  says  John 
Gilligan,  of  consultancy  Gilligan  Group. 

A  former  Air  Force  CIO,  Gilligan  has  become  a 
strong  backer  of  CAG,  which  began  last  autumn 
among  some  in  the  federal  agencies,  including 
the  CIO  Council,  with  help  from  Alan  Paller, 
director  of  SANS  Institute. 

Conforming  with  FISMA  requires  the  inspector 
general  of  each  agency  to  lead  an  evaluation  of 
agency  IT  systems  based  on  hundreds  of  pages 
of  guidelines  from  the  National  Institute  of  Stan¬ 
dards  and  Technology  (NIST),  tasked  by  Con¬ 
gress  to  come  up  with  FISMA  standards.  These 
confidential  FISMA  reports  are  sent  to  Congress. 

As  CIO  of  the  Air  Force,  Gilligan  says  he  found 


FISMA  focuses  on  security,  though  much  of  it  was 
simply  paperwork,  and  “it  didn’t  help  you  narrow 
down,  what  should  I  do  first?” 

Gilligan  says  he  got  a  handle  on  what  to  do  first 
when  the  “NSA  would  annually  do  an  assess¬ 
ment  of  [Department  of  Defense]  systems  with 
their  penetration  analysis  and  call  together  the 
CIOs,  and  every  time  it  was  the  same  story:  We 
broke  in,  it  was  easy1.’ 

He  says  he’s  convinced  the  government  would 
benefit  from  a  new  approach  requiring  very 
technical  steps,  perhaps  akin  to  the  secure-soft- 
ware  configuration  effort  of  the  Air  Force  five 
years  ago. 

CAG’s  list  of  20  controls  is  out  for  a  month’s 
worth  of  public  comment,  and  it  features  a 
broad  list  of  both  automated  and  non-automat- 
ed  practices  that  include  continuous  vulnerabil¬ 
ity  testing  remediation  and  secure  configura¬ 
tions  of  hardware, software  and  network  devices. 

The  CAG  recommendation  is  part  of  a  cyber¬ 
security  report  to  the  White  House. 

Gilligan  says  agencies  are  intent  on  bringing 
agency  inspector  generals  —  as  well  as  NIST  and 
Congress  —  on  board  to  prove  CAG  will  work.To 
that  end,  agencies  are  working  to  set  up  “pilot 
sites”  in  their  production  networks  where  they 
can  demonstrate  how  CAG  controls  would  work 
in  practice. 

The  CAG  alliance  wants  feedback  on  how  its 
guidelines  mesh  with  other  government  and 
industry  security-compliance  efforts,  such  as  the 
Health  Insurance  Portability  and  Accountability 
Act  guidelines  from  the  Department  of  Health 
and  Human  Services  or  the  Payment  Card 
Industry  data  standards.B 
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The  Consensus  Audit  Guidelines 

Here  is  a  sampling  of  some  of  the  most  critical  security  practices  the  audit 
recommends  to  protect  federal  and  contractor  data 

•  Inventory  of  authorized  and  unauthorized  hardware  and  software. 

•  Secure  configurations  for  hardware  and  software  for  which  configurations  are  available. 

•  Secure  configurations  of  network  devices  such  as  firewalls  and  routers. 

•  Boundary  defense  Maintenance  and  analysis  of  complete  security  audit  logs. 

•  Application  software  security. 

•  Controlled  use  of  administrative  privileges. 

•  Controlled  access  based  on  need  to  know. 

•  Continuous  vulnerability  testing  and  remediation. 

•  Dormant  account  monitoring  and  control. 

•  Anti-malware  defenses. 

Source:  SANS  Institute/Consensus  Audit  Guidelines  Consortium 
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Global  mobile  show  underwhelms 


BY  JOHN  COX 

Whatever  your  expectations,  this  years 
Mobile  World  Congress  —  the  premier  show¬ 
case  for  the  global  cellular  industry  —  was 
noteworthy  for  undermining  them. 

Android,  the  Google-fueled  open  source 
operating  system  expected  to  reshape  the 
mobile  market,  was  largely  missing  in  action. 
Only  a  couple  of  Android  phones  were 
announced  at  the  Barcelona,  Spain,  event, 
which  organizers  said  was  expected  to  draw 
50,000  attendees. 

Windows  Mobile,  the  proprietary  operating 
system  expected  to  be  doomed  to  irrelevance, 
was  the  operating  system  of  choice  for  several 
high-profile  smartphone  introductions  that 
supported  either  the  current  6.1  or  newly 
announced  6.5  release. 

People  expected  more  attempts  at  “iPhone 
killers.”  Instead,  the  phone  named  best  of  show 
was  an  anti-iPhone:  the  low-cost  INQ  1  Social 
Mobile,  unveiled  last  November,  boasts  a  UI 
integrated  with  Web  applications  and  services. 

LTE  was  expected  to  be  ...  well,  exciting.  But 
despite  the  live  network  demonstrations 
around  Barcelona,  and  Verizon  Wireless’ 
promise  to  have  the  technology  up  and  run¬ 
ning  somewhere  in  the  United 
States  by  year-end,  LTE  was  a  4G 
yawn. “We  suspect  that  a  workable 
deployment  model  for  limited 
spectrum  in  the  robustly  propagat¬ 
ing  700MHz  range  will  be  long  in 
development,”  wrote  Erick  Kainer, 
an  analyst  with  ThinkEquitity, 
assessing  the  LTE  news. 

Android  MIA 

As  for  Android,  HTC  announced 
its  Magic  smartphone  running  the 
open  source  operating  system. 

And  Adobe  Systems  announced 
that  Flash  Player  10  will  be  avail¬ 
able  for  Android  (and  other  phone 
platforms)  later  this  year,  allowing 
handsets  to  render  Flash  anima¬ 
tion  and  video  on  Web  sites. 

The  rest  of  the  Android  news 
was  low-level  stuff  of  interest  to 
platform  developers.  Nvidia  allied 
with  the  Open  Handset  Alliance 
to  support  the  Android  stack  on  its 
upcoming  Tegra  chips,  designed 
to  create  advanced  graphics  on 
smartphones  while  minimizing 
power  use.  And  Texas  Instruments 
talked  up  an  Android  developer  kit  for  its 
OMAP3  silicon. 

The  open  source  platform  that  got  atten¬ 
tion:  the  LiMo  Foundation’s  Linux-based 
stack.  LG  Electronics,  Panasonic  and 
Samsung  all  demonstrated  mobile  handsets 
using  it. 


Windows  Mobile  resurgent? 

By  contrast,  Microsoft’s  proprietary  Windows 
Mobile  was  the  platform  of  choice  for  a  num¬ 
ber  of  high-profile  smartphones  unveiled  at  the 
show,  and  the  company  announced  a  signifi¬ 
cant  upgrade:  Version  6.5  with  a  new  look  to 
the  Ul,and  the  inclusion  of  IE  Mobile  6,  its  first 
full-fledged  Web  browser  for  the  mobile  oper¬ 
ating  system. 

LG  Electronics  plans  to  make  Windows 
Mobile  (now  rebranded  to  just  “Windows”)  its 
primary  operating  system. The  company  plans 
to  boost  its  volume  of  available  Windows  by  10- 
fold  this  year,  and  has  26  new  models  on  tap  for 
2012  alone. 

At  the  show,  LG  announced  the  LG- 
GM730,with  LG’s  3-D  S-Class  UI,due  out  in  mid 
2009  with  Windows  Mobile  6.  l,and  an  updated 
version  in  the  second  half  of  the  year,  with  the 
just-announced  Windows  Mobile  6.5. 

Other  Windows  phones  included  HTC  Touch 
Diamond  2  and  Touch  Pro  2  (HTC  created  the 
first  U.S.Android  phone, T-Mobile’s  Gl),and  the 
recently  announced  Toshiba  TG01. 

The  anti-iPhone 

But  the  phone  that  caught  official  attention  at 
MWC,  winning  “Best  Mobile 
Handset  or  Device”  from  the 
judges,  was  INQ  Mobile’s  1NQ1 
Social  Mobile,  first  announced  last 
November  and  now  going  into 
expanded  global  deployment. 

INQ  is  a  unit  of  Hutchinson 
Whampoa,  created  to  bring  to 
market  a  very  low-cost  3G  phone 
that  still  would  give  users  a  superi¬ 
or  Web  experience.  It’s  designed  to 
do  that  by  integrating  into  the 
phone’s  user  interface  a  range  of 
Web  applications:  Facebook, 
Skype,  Windows  Messenger  and 
Last.fm.  It  supports  push  email 
and  interfaces  with  Microsoft 
Exchange  and  Lotus  Domino. The 
intent  was  to  make  social  net¬ 
working  and  Web  access  much 
faster,  smoother  and  more  intu¬ 
itive. 

The  proprietary  operating  sys¬ 
tem  incorporates  Qualcomm’s 
Java-based  BREW  application 
development  framework. 

In  the  United  Kingdom,  the 
phone  costs  about  $1 15,  or  is  free 
with  a  monthly  service  contract  of 
about  $2 1 .  Comparable  smartphones  are  closer 
to  $200  when  subsidized  by  carriers,  and  often 
require  one-  or  two-year  service  contracts. 

Integration:  the  new  “wow-factor" 

INQ  isn’t  alone  in  integrating  the  handset 
user  interface  with  the  applications  available 


on  the  mobile  Web.  Microsoft  took  another 
step  with  its  news  of  the  Windows  Marketplace 
for  Mobile,  an  application  store  that  will  be 
installed  on  all  future  Windows  Mobile  6.5 
devices.  It  also  announced  the  free  My  Phone 
service,  which  offers  Web-based  automatic 
backup  and  synchronization  of  phone  data 
and  content. 

Nokia  expanded  the  breadth  of  its  own 
online  service  offerings,  branded  Ovi,  by 
announcing  the  Ovi  Store, which  will  be  acces¬ 
sible  to  vast  numbers  of  S40  and  S60  Nokia 
devices.  Going  beyond  Apple’s  App  Store,  the 
Ovi  service  will  be  able  to  key  applications  to  a 
user’s  new  location, and  let  users  see  what  their 
contacts  and  friends  have  been  downloading 
from  the  store.  The  store  will  open  in  May  in 
nine  countries. 

In  a  related  move,  Nokia  is  working  with 
Skype  to  create  a  VoIP  client  for  Nokia’s  just- 
announced,  top  of  the  line,  S60-based  N97 
mobile  computer. The  client  will  work  with  the 
device’s  address  book,  just  as  it  does  on  the 
INQl,to  make  placing  calls  to  Skype  users  as 
simple  as  making  a  cell  call. The  software  will 
be  available  in  the  third  quarter. 

That  emphasis  on  mobile  integration  is 
the  key  to  Palm’s  Pre  smartphone,  due  out  in 
the  next  month  or  so,  and  its  new  webOS 
software.  At  MWC,  Palm  showcased  the 
UMTS  version  of  the  Pre.  And  it  released 
online  the  first  chapter  of  a  new  book  from 
O’Reilly  Media,  “Palm  webOS:  Developing 
Applications  in  JavaScript  Using  the  Palm 
Mojo  Framework.”  It  was  the  first  step  in  pub¬ 
licly  revealing  details  of  the  software  plat¬ 
form.  The  company  also  joined  Adobe’s 
Open  Screen  Project,  to  incorporate  Adobe 
Flash  Player  with  the  webOS  software  by 
year-end. 

Palm  has  claimed  that  any  developers 
familiar  with  common  tools  like  Cascading 
Style  Sheets,  XHTML,  JavaScript  and  the  like 
easily  will  be  able  to  create  applications 
that  can  run  on  the  Pre. The  webOS  itself  is 
multitasking,  and  Palm  has  demonstrated 
the  Pre’s  Palm  Synergy  application,  a  pro¬ 
gram  that  creates  a  single,  integrated  means 
of  tracking  and  organizing  multiple  online 
calendars,  contacts  and  messaging  applica¬ 
tions.  If  you  update  a  contact  on  your  Palm 
Pre,  Synergy  updates  the  same  data  on  any 
of  your  online  accounts. 

That  approach  suggests  a  direction  for  enter¬ 
prise  mobile  development.  Many  of  the  hand¬ 
sets  and  operating  systems  are  aimed  at  con¬ 
sumers.  But  the  need  for  what  could  be  called 
“intuitive  integration"  is  even  more  pressing  on 
the  enterprise  side,  coupled  with  stringent 
security  requirements. This  year’s  MWC,  almost 
in  spite  of  itself,  has  given  an  outline  of  a 
promising  new  emphasis  in  enterprise  mobile 
computing.  ■ 


The  INQ1  Social 
Mobile  is  a  low- 
cost  3G  phone 
with  a  set  of  tight¬ 
ly  integrated 
social  networking 
and  Web  apps. 
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Microsoft,  Red  Hat  virtually  partners 


BY  ELIZABETH  MONTALBANO, 

IDG  NEWS  SERVICE 

A  virtualization  deal  struck  last  week  be¬ 
tween  Microsoft  and  Red  Hat  shows  the  grow¬ 
ing  need  for  vendors  to  ensure  customers  can 
get  cross-platform  support  for  applications 
running  in  virtualized  environments. 

Under  the  terms  of  the  deal,  outlined  in  blog 
posts  by  Microsoft  Senior  Open  Source  Com¬ 
munity  Manager  Peter  Galli  and  Microsoft  Vir¬ 
tualization  General  Manager  Mike  Neil,  both 
companies  will  validate  and  offer 
customer  support  for  each 
other’s  operating  systems  on  their 
virtualization  technologies. 

Specifically,  Microsoft  will  offer 
customer  support  for  Red  Hat  En¬ 
terprise  Linux  5.2  and  5.3  guests 
on  all  editions  of  Windows  Server 
2008  Hyper-V  and  Microsoft 
Hyper-V  Server  2008.  For  its  part, 

Red  Hat  will  support  customers 
running  Windows  Server  2003 
SP2,  Windows  2000  Server  SP4 
and  Windows  Server  2008  guests 
on  Red  Hat  Enterprise  virtualiza¬ 
tion  technologies. 

The  companies  also  will  offer 
cooperative  technical  support  for 
customers  running  Windows 
Server  on  Red  Hat  Enterprise  vir¬ 
tualization  and  Red  Hat  Enter¬ 
prise  Linux  on  Windows  Server 
2008  Hyper-V  Future  versions  of 
these  products  will  be  validated 
under  the  agreement. 

Stephen  O’Grady,  an  analyst 
with  open  source  research  firm 
RedMonk,  says  the  deal  under¬ 
scores  how  even  competitors 
have  to  cross  party  lines  to  sup¬ 
port  virtualization,  which  is  be 
coming  an  integral  part  of  data 
centers  that,  more  often  than  not, 
include  both  Windows-  and 
Linux-based  servers. 

Virtualization  enables  compa¬ 
nies  to  cut  IT  costs  by  allowing 
more  than  one  operating  system 
on  a  physical  server  by  running 
software  in  virtualized  contain¬ 
ers.  The  technology  lets  a  customer  run  appli¬ 
cations  on  both  Linux  and  Windows  on  one 
piece  of  hardware. 

O’Grady  notes  that  support  for  enterprise 
applications  still  hinges  on  what  operating  sys¬ 
tem  an  application  is  running  on.“If  you  talk  to 
application  vendors,  their  support  depends  on 
an  application  platform,”  he  says.  “They’ll  sup¬ 
port  the  app  on  Windows,  on  RHEL  [Red  Hat 
Enterprise  Linux] ,  but  that’s  as  far  as  that  goes.” 

Because  software  can  be  running  on  one  vir¬ 
tualized  operating  system  —  RHEL,  for  in¬ 
stance  —  that  runs  physically  on  a  server  run¬ 


ning  another  operating  system,  such  as  Win¬ 
dows,  it’s  important  for  customers  to  know  that 
both  Red  Hat  and  Microsoft  will  support  them 
in  such  a  scenario,  O’Grady  says. 

“If  I’m  running  RHEL  virtualized  on  top  of 
Windows,  I  need  to  make  sure  I’m  supported 
commercially  on  every  step  of  the  wa^’  he 
said. “Virtualization  pushes  the  boundaries  of 
support  and  requires  that  vendors  work  well 
and  effectively  together” 

There  is  no  love  lost  between  Microsoft  and 


Red  Hat,  which  have  traded  barbs  for  years  as 
fierce  competitors  with  fundamentally  differ¬ 
ent  views  of  how  software  should  be  devel¬ 
oped  and  distributed. 

This  may  explain  why  the  companies  chose 
to  unveil  the  pact  —  their  most  significant  and 
public  partnership  to  date  —  last  Monday  a 
public  holiday  in  the  United  States  when 
many  people  had  the  day  off  from  work. 
Companies  typically  will  release  news  they 
hope  will  be  overlooked  by  major  news  out¬ 
lets  on  public  holidays. 

“I  found  the  timing  a  little  odd,”  O’Grady 


agrees.  However,  Microsoft  spokesman  Patrick 
O’Rourke  says  there  was  nothing  odd  about 
it.  Because  the  deal  was  aimed  at  a  world¬ 
wide  audience,  the  timing  “worked  well  for 
most  other  countries”  outside  the  United 
States.  A  Red  Hat  spokeswoman  did  not  reply 
immediately  to  request  for  comment  on  the 
deal’s  timing. 

Also  curious  is  what  the  deal  does  not  in¬ 
clude:  the  exchange  of  intellectual  property  or 
“financial  clauses” between  the  companies, ex¬ 
cept  for  “industry-standard  certifi¬ 
cation/validation  testing  fees,” 
according  to  Red  Hat’s  press 
release. 

No  doubt  Red  Hat  wanted  to 
clarify  that  its  deal  with  Microsoft  is 
not  the  same  as  the  one  Microsoft 
struck  with  Linux  distributor 
Novell  two  years  ago,  which  did  in¬ 
clude  exchange  of  IP  and  cash.  At 
the  time  Red  Hat  executives  said 
they  were  not  interested  in  striking 
such  a  deal.  In  addition  to  ensuring 
interoperability  between  Novell 
SUSE  Linux  and  Windows,  the 
Novell  deal  indemnified  users  of 
Novell’s  Linux  against  any  claims 
of  patent  infringement  for  any 
Microsoft  patents  SUSE  Linux 
might  include. 

IP  is  a  particularly  thorny  issue 
between  Microsoft  and  Red  Hat, 
exacerbated  not  only  by  the 
Novell  deal  but  also  by  claims 
made  by  Microsoft  CEO  Steve 
Ballmer  in  May  2007  that  Linux 
violates  more  than  235  patents 
Microsoft  holds. 

In  response,  Red  Hat  said  its  cus¬ 
tomers  are  protected  by  any  patent 
claims  by  its  Open  Source  Assur¬ 
ance  Program,  and  many  Linux 
proponents  called  Microsoft’s 
claims  an  attempt  to  spread  fear, 
uncertainty  and  doubt  among  cus¬ 
tomers  who  purchase  open  source 
software  in  order  to  promote  its 
own  proprietary  software. 

O’Grady  says  it  was  probably  Red 
Hat  that  lobbied  hard  against  in¬ 
cluding  IP-sharing  in  the  deal  to  maintain  its 
stance  against  the  Novell  deal  and  Microsoft’s 
patent-infringement  claims. 

“This  is  a  different  deal  than  Novell  signed,” 
he  says.“It’s  far  less  controversial.”* 
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Virtualization 

continued  from  page  1 

a  “critical  priority”  for  22%,  according  to  IDG 
Research  Services  Group. 

Respondents  were  virtualizing  6%  of  desk¬ 
tops  at  the  time  of  the  survey  and  expected  to 
virtualize  one-third  by  2010.  But  the  survey  was 
conducted  in  April  2008,  so  recent  economic 
changes  could  affect  those  numbers. 

“Is  [desktop  virtualization]  going  to  break 
out  in  2009?  I  don’t  see  any  reason  it  would,” 
IDC  analyst  Michael  Rose  says.“Frankly  the  cur¬ 
rent  economic  environment  is  going  to  be  a 
significant  barrier  for  adoption  of  virtual  desk¬ 
tops  in  the  data  center? 

True  ubiquity  could  take  another  five  years, 
given  current  financial  problems  and  the 
nature  of  PC  refresh  cycles,  he  says. 

Nonetheless  some  early  adopters  are  report¬ 
ing  success,  with  users  embracing  the  notion 
of  being  able  to  access  desktops  from  multiple 
locations  and  multiple  devices. 

“[Virtualizing  desktops]  is  going  to  save  us 
$250,000  per  year  that  we  were  spending  on 
desktop  refreshes.  There  were  some  upfront 
costs,  but  we  figure  there  will  be  a  two-year 
ROl,”  says  Dustin  Fennell,  CIO  of  Scottsdale 
Community  College  in  Arizona. 

Additionally,  vendors  such  as  VMware  and 
Citrix  are  working  on  new  ways  of  providing 
virtual  desktops,  which  they  believe  will  spur 
greater  adoption. 

In  virtualized  desktop  environments,  the 
operating  system,  applications  and  associated 
data  are  abstracted  from  the  user’s  PC.  Broadly 
speaking,  there  are  two  types  of  desktop  virtu¬ 
alization.  Local  desktop  virtualization  runs  the 
entire  desktop  environment  in  a  protected 
“bubble”  on  a  user’s  PC.  Hosted  desktop  virtu¬ 
alization  stores  the  users’  desktops  in  the  data 
center,  requiring  users  to  access  their  desktop 
images  through  a  network  connection.  Within 
these  categories  are  several  sub-types. 

In  the  hosted  desktop  virtualization  realm, 
enterprises  can  store  virtual  desktops  on  a 
standard  server  accessed  by  multiple  users 
simultaneously,  or  a  PC  blade  architecture  in 
which  each  blade  typically  serves  one  user  at 
a  time.  Users  can  connect  to  their  desktops 
using  thin  clients,  laptops  or  regular  desktops, 
but  hosted  desktops  usually  preclude  offline 
access. 

Local  desktop  virtualization  is  achieved 
either  with  a  bare-metal,  or  Type  1 ,  hypervisor, 
or  a  Type  2  hypervisor  that  is  installed  on  top  of 
the  PC’s  operating  system.  Bare-metal  hypervi¬ 
sors  are  not  yet  widely  available,  but  vendors 
say  they  will  provide  better  security  than  Type 
2  hypervisors,  because  the  bare-metal  type 
runs  independent  of  the  client  operating  sys¬ 
tem. They  also  deliver  better  performance  than 
hosted  desktops,  because  applications  run  on 
the  local  client  instead  of  a  remote  server.  Bare 
metal  hypervisors  are  being  developed  by 
VMware  and  Citrix  as  well  as  start-ups  Nee 
cleus  and  Virtual  Computer.  Citrix  and  VMware 
plan  to  release  their  baremetal  hypervisors  in 


DESKTOP  VIRTUALIZATION 

ON  THE  RISE 

•  Hosted  virtual  desktop  revenue 
will  quadruple  worldwide  to  nearly 
$300  million  in  2009. 

•  41%  of  companies  surveyed  are 
already  investing  in  desktop  virtu¬ 
alization. 

•  At  22%  of  companies,  desktop 
virtualization  is  a  “critical 
priority”. 

•  6%  of  desktops  have  been 
virtualized. 

•  34%  will  be  virtualized  by  2010. 

SOURCES:  Gartner;  IDG  Research  Services  Group  sur¬ 
vey  of  340  IT  managers 

the  second  half  of  this  year,  while  Virtual  Com¬ 
puter  is  in  beta  and  Neocleus  has  released  a 
limited  version  of  its  hypervisor. 

Local  virtualization  makes  sense  for  mobile 
workers,  who  can  be  given  separate  operating 
systems,  one  for  business  use  and  one  for  per¬ 
sonal  use, says  Sumit  Dhawan.vice  president  in 
the  desktop  delivery  group  at  Citrix.  But  local 
virtualization  has  so  far  relied  on  Type  2  hyper¬ 
visors,  and  hasn’t  taken  off  partly  because  there 
is  no  true  independence  between  virtual 
machines,  he  says.  When  the  hypervisor  is  in¬ 
stalled  on  top  of  the  operating  system,  all  data 
that  goes  to  the  guest  operating  system  must 
first  travel  through  the  primary  operating  sys¬ 
tem,  and  this  overhead  impacts  performance, 
he  says. 

Citrix  is  collaborating  with  Intel  on  its  bare- 
metal  hypervisor,  which  Dhawan  says  will  pro¬ 
vide  great  performance  for  users  as  well  as  the 
convenience  of  central  management  for  IT  ad¬ 
ministrators.  Unlike  Citrix  XenDesktop,  which  is 
hosted  in  the  data  center  and  affords  no  offline 
access,  the  planned  bare-metal  hypervisor  will 
let  users  work  offline  and  synchronize  changes 
from  a  standardized  corporate  image  when 
they  log  on. 

VMware  is  creating  a  bare-metal  hypervisor 
that  runs  on  each  user’s  machine  yet  gives  IT  a 
“golden  image”  that  can  be  managed  centrally 
VMware’s  long-term  goal  is  to  merge  the  two 
concepts  of  hosted  and  local  desktop  virtual¬ 
ization,  dynamically  moving  the  desktop 
image  back  and  forth  between  the  device  and 
data  center,  says  Jerry  Chen,  VMware’s  senior 
director  of  enterprise  desktop  virtualization. 

Neocleus,  meanwhile,  will  release  its  full  pro¬ 
duct  in  beta  next  month  and  is  promising  far 
better  security  than  exists  in  most  desktop  en¬ 
vironments.  In  addition  to  separating  personal 
and  business  computing  into  separate  operat¬ 
ing  systems,  each  operating  system  will  run  in 
its  own  “bubble,”  which,  if  infected,  could  be 
deleted,  preserving  the  integrity  of  the 
machine,  the  company  says.  Centralized  man¬ 


agement  tools  will  let  IT  pros  set  policies  pre¬ 
venting  users  from  accessing  devices  or  appli¬ 
cations,  and  governing  interactions  between 
virtual  machines. 

Neocleus  plans  to  charge  $50  to  $100  per 
desktop. The  premium  version  ofVMwareView 
costs  about  $250  per  virtualized  desktop,  Chen 
says. 

Running  the  numbers 

To  figure  out  the  ROI  for  a  desktop  virtualiza¬ 
tion  project, an  IT  shop  has  to  take  multiple  fac¬ 
tors  into  consideration.Virtualization  might  be 
used  to  extend  the  life  of  older  desktops,  result¬ 
ing  in  up-front  savings. On  the  other  hand, a  vir¬ 
tualization  project  might  include  purchasing  of 
thin  clients  or  other  new  devices.  Additionally 
a  hosted  desktop  model  requires  servers  or  PC 
blades  to  host  desktops  and  networked  storage 
to  support  virtual  machines. 

Anecdotally  Forrester  analysts  have  found 
that  enterprises  spend  about  $860  per  user,  plus 
network  upgrades,  to  get  a  desktop  virtualiza¬ 
tion  project  up  and  running  in  the  first  year. 

Despite  healthy  revenue  projections,  the 
hosted  virtual  desktop  market  will  experience 
“growing  pains”  throughout  this  year  and  early 
2010,  according  to  Gartner.  Cost  savings 
amount  to  about  3%  to  10%  compared  with  a 
well-managed,  secure  desk-based  PC,  the  ana¬ 
lyst  firm  says. 

“Most  customers,  particularly  those  hard- 
pressed  because  of  economic  conditions,  will 
find  it  difficult  justifying  the  additional  capital 
needed  for  the  infrastructure  build-out,” 
Gartner  writes.“New  and  sizable  investments  in 
the  areas  of  storage,  networks,  servers,  power, 
cooling  and  other  infrastructure  will  press  or¬ 
ganizations  into  early  investments.” 

Hosted  virtual  desktops  will  become  less 
costly  over  time  as  vendors  develop  better 
management  technologies,  Gartner  says. 

At  Scottsdale  Community  College,  Fennell  in¬ 
stalled  XenDesktop  and  other  Citrix  technolo¬ 
gies  both  to  virtualize  college-owned  desktops 
and  provide  remote  access  to  students  and 
teachers  with  their  own  devices.  Previously, 
some  students  had  to  travel  to  campus  even 
when  they  didn’t  have  class,  just  so  they  could 
use  certain  applications. 

In  addition,  patching  desktops  is  easier  and 
the  college  is  extending  the  life  of  some  older 
desktops  by  treating  them  as  thin  clients.  The 
college  can  support  500  concurrent  users  on 
12  physical  servers,  but  is  looking  to  scale  that 
number  up  significantly 

“We  needed  something  that  would  poise 
us  to  spend  our  money  more  wisely  than 
just  replacing  black  boxes,”  Fennell  says.“We 
wanted  a  strategy  that  would  not  only  update 
our  technology  but  at  the  same  time  increase 
users’  access.” 

HP  officials,  who  are  selling  blade  PCs  bun¬ 
dled  with  Citrix  virtualization  software, 
acknowledge  that  virtualization  typically  in¬ 
volves  more  upfront  cost  than  a  PC  refresh,  but 
say  many  customers  start  reaping  financial 
benefits  after  little  more  than  a  year.  ■ 
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No  matter  where  you  are 
or  what  you’re  doing,  something  or 
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continued  from  page  1 

The  SRX  5800  is  a  chassis-based  system.  Prepopulated  with  two  switch 
control  boards  to  manage  inter-card  communications,  it’s  up  to  the  cus¬ 
tomer  to  insert  I/O  cards  or  Service  Processing  Cards  (SPC)  as  needed. 
The  I/O  cards  come  in  two  flavors:  four-port  10G  Ethernet  or  40-port  1- 
gigabit  Ethernet. You  can  mix  and  match  I/O  cards  with  the  SPCs,  which 
handle  services  such  as  firewall  and  IPS.  (See  how  we  conducted  our 
test  at  www.nwdocfinder.com/8837.) 

While  this  system  is  clearly  aimed  at  nonstop  environments,  Juniper 
hasn’t  gotten  all  of  its  hot-swap  technology  in  the  single-chassis  version. 
You  can’t  insert  or  remove  cards  without  interrupting  traffic  flow. 
Juniper’s  solution  is  chassis  clustering  —  linking  two  of  these  monster 
boxes  into  a  cluster  that  lets  you  take  a  chassis  down  for  maintenance, 
upgrade  or  repairs,  while  still  passing  traffic. 

The  SRX’s  operating  system  is  JunOS  through-and-through,with  firewall 
and  IPS  features  from  Juniper’s  NetScreen  acquisition  layered  on  top.  If 
you  like  managing  routers  from  the  command  line  and  have  a  modest 
firewall  policy  you’ll  take  to  the  SRX  5800  right  away  It’s  got  the  JunOS 
you  love, a  rock-solid  stateful  firewall  and  the  fastest  performance  of  any 
firewall  on  Earth. 

Performance  metrics 

When  Juniper  initially  told  us  it  would  supply  its  SRX  5600  firewall,  a 
60Gbps  system,  we  sized  our  test  bed  accordingly  So  it  was  a  bit  of  a  sur¬ 
prise  when  the  company  instead  sent  the  larger  SRX  5800,  which  its  data 
sheet  lists  as  a  120-Gbps  firewall.  Both  systems  support  as  many  as  16  10G 
Ethernet  interfaces,  but  the  5800  offers  twice  the  forwarding  capacity  — 
and  twice  what  our  test  bed  could  generate  in  terms  of  TCP  traffic. 
Juniper  populated  this  chassis  with  eight  of  its  dual-CPU  SPCs,  com¬ 
pletely  filling  the  14-slot  chassis. 

Although  the  test  bed  at  Spirent’s  Sunnyvale  SPOC  lab  offered  “only” 
80Gbps  of  TCP  traffic  for  this  particular  project  (using  16  Spirent 
Avalanche  2900  appliances),  we  were  able  to  fully  exercise  the  SRX  5800 
by  offering  up  to  160Gbps  of  stateless  UDP  traffic  (using  a  Spirent  Test- 
Center  traffic  generator/analyzer).  We  ran  separate  sets  of  TCP  and  UDP 
tests,  and  assessed  the  system’s  features  and  usability 

The  UDP  tests  demonstrated  the  SRX  5800’s  high  capacity  In  tests  with 
maximum-length  1,518-byte  frames,  throughput  was  more  than 
137Gbps,with  average  latency  of  76  microsec.  Enabling  network  access 
translation  (NAT)  on  the  firewall  exacted  no  performance  penalty;  both 
throughput  and  latency  were  virtually  identical  as  in  the  no-NAT  case. 

The  system  was  far  slower  when  handling  64-  and  256-byte  frames,  with 
throughput  of  6.9G  and  29Gbps  respectively  Average  latency  also  was 
higher,  at  152  and  292  microsec  for  64-  and  256-byte  frames. 

But  lower  performance  with  UDP  isn’t  necessarily  a  problem  for  most 
users.  UDP  represents  5%  or  less  of  total  Internet  traffic, according  to  sam¬ 
ples  observed  by  CAIDA  and  other  sources.TCP  forwarding  capability  is 
a  far  more  meaningful  performance  metric  for  most  security  devices. 

To  assess  TCP  performance,  we  configured  the  Spirent  Avalanche 
appliances  to  act  as  Web  clients  and  servers,  with  2,400  emulated  users 
each  requesting  512-kbyte  objects  through  the  firewall.  We  ran  this  test 
repeatedly  in  a  variety  of  configurations. 

•  As  a  firewall  alone, the  SRX  5800  is  a  stellar  performer.  It  moved  HTTP 
traffic  at  an  aggregate  rate  of  78Gbps,  the  maximum  possible  from  our 
test  bed.  We  didn’t  enable  NAT,  but  given  the  results  of  our  UDP  tests  we 
don’t  believe  there  would  be  any  performance  penalty  for  doing  so. 
Response  times  held  steady  throughout  the  test,  with  users  getting  their 
objects  in  an  average  of  131  millisec. 

•  When  we  enabled  IPS,  it  was  a  very  different  story.  Aggregate  for¬ 
warding  rates  plummeted  from  78Gbps  to  around  30Gbps  even  with  no 
attack  traffic  present.  We  enabled  the  252  attack  signatures  Juniper  rec¬ 
ommends,  those  representing  major  and  critical  events.  Again,  this  test 
was  run  only  with  benign  traffic.Thus,  users  who  need  intrusion  preven¬ 
tion  can  expect  a  major  performance  hit  even  before  any  attacks  come 
along.This  was  not  unexpected,  though:  Juniper’s  own  data  sheet  offers 
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30Gbps  as  the  speed  to  expect  with  the  SRX  5800. 

•  Running  the  same  configuration  with  NAT  and  intrusion  detec¬ 
tion  produced  virtually  the  same  result  as  intrusion  prevention 
alone.  Moreover,  response  times  were  only  marginally  higher  than 
when  the  SRX  was  configured  as  a  firewall  alone,  with  users  getting  their 
objects  in  160  millisec  or  less. 

However,  these  tests  were  all  done  with  Juniper’s  recommended  IPS 
policy  a  carefully  selected  and  tuned  policy  designed  to  balance  secu¬ 
rity  with  connectivity  and  performance.  One  important  part  of  these 
policies  is  that  they  are  focused  on  client-to-server  interactions.  In  other 
words,  they  identify  malicious  traffic  aimed  at  servers  but  do  not  catch 
server-to-client  malware.  Because  our  test  traffic  was  largely  HTTP  that 
means  the  IPS  spent  most  of  its  time  looking  at  attack  traffic  to  the  Web 
servers,  only  about  650Mbps.The  rest  of  the  traffic  coming  from  the  Web 
server,  more  than  29Gbps,  while  subject  to  some  inspection  for  protocol 
anomalies  and  other  lower-layer  attacks,  was  not  examined  in-depth  by 
the  IPS. 

•  When  we  added  in  server-to-client  protections  from  Juniper’s  IPS  sig¬ 
nature  library  performance  dropped  even  further,  to  as  little  as  8Gbps. 
The  lesson  is  clear:  be  very  careful  what  IPS  policy  you  use,  because  pick¬ 
ing  the  wrong  elements  can  dramatically  affect  performance. 

If  packet  inspection  alone  caused  a  traffic  slowdown,  then  the  results 
with  actual  attacks  present  can  only  be  described  as  gridlock.  Using  a 
Spirent  ThreatEx  security  assessment  tool,  we  aimed  13  UDP-based 
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attacks  at  targets  behind  the  SRX  firewall  while  continuing  to  offer 
benign  Web  traffic  from  the  Avalanche  appliances. 

Picking  a  “typical”  attack  level  is  fairly  difficult.  Some  experts  suggest 
that  between  1%  and  3%  of  Internet  traffic  can  be  categorized  as  mali¬ 
cious  traffic  of  the  type  you  would  expect  an  IPS  to  identify  and  filter. 
Because  the  SRX  5800  topped  out  at  about  30Gbps  with  IPS  enabled, 
600Mbps  of  attack  traffic  would  represent  about  2%  of  the  total. 

Initially  we  offered  the  UDP  attacks  at  a  maximum  rate  of  660Mbps.  In¬ 
stead  of  reaching  the  30Gbps  SRX  limit  with  IPS  enabled,  traffic  rates  fell 
to  a  paltry  160Mbps,  and  did  not  fully  recover  once  we  stopped  the 
attack.The  SRX’s  CPUs  were  all  nearly  100%  utilized  during  the  attacks. 

Juniper  expressed  surprise  at  these  results.  Juniper  was  able  to  repro¬ 
duce  the  problem  in  its  labs,  and  the  company  believes  we  saw  the  dra¬ 
matically  lower  throughput  because  our  UDP  attacks  had  filled  up  the 
session  table  of  the  SRX  5800,  which  has  a  maximum  of  4  million  entries. 
Because  of  the  size  and  complexity  of  the  hardware  and  test  lab  setup, 
we  were  unable  to  revisit  this  test  and  verify  Juniper’s  claims. 

Because  an  attack  at  660Mbps  represents  a  heavy  barrage  in  anyone’s 
book,  we  repeated  the  attack  at  the  far  lower  rate  of  lOMbps.That’s  not 
3%  attack  traffic,  but  0.03%  attack  traffic.  This  level  of  directed  attack  is 
very  credible  —  a  few  dozen  compromised  PCs  on  cable  modem  or 
DSL  connections  can  easily  generate  10Mbps  of  stateless  attack  traffic. 
The  10Mbps  traffic  has  another  advantage:  at  a  mere  4,000  sessions/sec¬ 
ond,  we  weren’t  going  to  fill  up  the  SRX  5800’s  session  table  in  our  two- 
minute  test.  Forwarding  rates  plunged  again,  this  time  to  less  than  2Gbps, 
and  traffic  again  fully  taxed  the  system’s  CPUs. 

We  should  note  that  the  SRX  was  configured  only  to  inspect  packets, 
not  to  try  to  mitigate  any  attack.  But  because  even  a  relatively  light  load 
of  10Mbps  of  attack  traffic  caused  the  whole  system  to  become  CPU- 
bound,  it’s  unlikely  that  enabling  mitigation  features  would  have  signifi¬ 
cantly  altered  the  outcome. 

IPS  management  falls  short 

As  part  of  the  integration  of  firewall, VPN  and  IPS  security  features  from 
its  Netscreen  product  line  into  JunOS,  Juniper  has  extended  its  security 
management  tool,  Netscreen  Security  Manager,  to  cover  the  JunOS  plat¬ 
form,  while  re-badging  the  product  as  Network  and  Security  Manager. 
(See  related  story  right.) 

While  trying  to  manage  the  SRX  5800,  we  found  ourselves  stumbling 
through  an  unusable  configuration  interface  and  inconsistent  attack 
databases.  Worse,  we  were  completely  blind  when  it  came  to  IPS  man¬ 
agement,  an  unacceptable  position.  The  combination  of  poor  IPS  per¬ 
formance  along  with  difficult  configuration  and  nearly  impossible  man¬ 
agement  suggest  that  while  the  SRX  5800  may  be  a  fine,  speedy  firewall, 
the  IPS  should  not  be  used  until  Juniper  resolves  significant  and  sub¬ 
stantial  manageability  problems. 

Snyder  is  a  senior  partner  at  Opus  One  in  Tucson,  Ariz.  He  can  be 
reached  at  joel.snyder@opusl .com.  Newman  is  president  of  Network 
Test,  a  benchmarking  and  network  design  consultancy.  He  can  be 
reached  at  dnewman@networktest.com. 
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Manageability  problems 

Our  woes  with  Network  and  Security  Manager  began 
when  we  tried  to  use  it  to  manage  the  SRX  5800.  With 
eight  years  of  experience  using  NSM  in  Opus  One’s  labs, 
we  were  looking  forward  to  the  unification  of  JunOS  and 
ScreenOS  management.  We  started  out  needing  to  change  IP 
addresses,  a  common  enough  task.  Fora  ScreenOS  system, 
this  takes  three  clicks:  two  clicks  to  see  a  summary  interfaces 
and  IP  addresses,  and  a  third  to  begin  editing. 

The  SRX  5800  was  not  so  easy.  It's  impossible  to  get  some¬ 
thing  as  simple  as  a  list  of  interfaces  and  their  IP  addresses. 
You  have  to  find  the  physical  interface,  and  then  click  through 
a  series  of  submenus  just  to  find  out  what  the  IP  address  is  — 
nine  of  them.  And  if  you  know  the  IP  address  but  can’t 
remember  which  port  it’s  connected  to,  you  might  as  well  give 
up  and  use  the  command  line  to  figure  it  out,  because  NSM 
would  make  you  click  through  eight  levels  of  menus  just  to  see 
each  IP  address. 

Where  NSM  does  excel  is  in  security  policy  definition.  We 
were  relieved  to  see  that  the  normal  NSM  tools  for  creating 
and  editing  policy  could  be  applied  to  the  SRX  5800  -  that  is, 
until  we  tried  to  turn  on  network  address  translation  (NAT). 
Now,  you  can  turn  on  NAT  in  the  security  policy  and  push  that 
policy  with  NSM,  but  it  doesn’t  do  anything  on  the  firewall.  No 
error  message,  no  warning  and  no  NAT.  We  only  discovered 
NAT  wasn’t  working  when  we  started  doing  packet  dumps  to 
debug  a  different  problem. 

The  SRX  5800  does  support  NAT,  but  you  have  to  go  back  to 
the  nine-levels-deep  style  of  configuration. The  experience  is 
about  as  pleasant  as  poking  values  into  an  SNMP-managed 
switch  by  hand  —  and,  of  course,  about  as  error- prone  and  dif¬ 
ficult  to  document.  We  ended  up  using  shortcuts  provided  by 
Juniper’s  engineers,  putting  the  NAT  configuration  in  using  the 
JunOS  command  line,  and  re-importing  the  device  into  NSM. 

We  then  tried  to  create  an  intrusion-prevention  system 
(IPS)  policy  and  ran  into  another  problem  in  NSM:  inconsis¬ 
tent  databases.  We  selected  Juniper's  recommended  security 
policy  and  tried  to  push  it  to  the  SRX  5800,  Immediately,  NSM 
threw  back  errors  —  the  SRX  5800  had  a  different  set  of  poli¬ 
cy  elements  than  NSM  thought.  We  had  to  go  through  the  poli¬ 
cy  by  hand  and  re-craft  it  so  that  the  signatures  missing  from 
the  SRX  5800  were  not  being  selected  in  order  to  get  a  clean 
policy  download. 

The  final  nail  in  NSM's  coffin,  at  least  for  this  version,  came 
when  we  wondered  how  well  the  IPS  was  working.  In  a  normal 
ScreenOS  deployment,  there  is  a  nicely  designed  workflow 
that  feeds  back  information  from  the  IPS  into  the  NSM  con¬ 
sole.  This  lets  the  security  manager  see  how  the  IPS  is  per¬ 
forming,  and  then  immediately  and  easily  make  policy 
changes.  With  the  SRX  5800,  this  workflow  is  broken:  security 
alerts  cannot  be  sent  to  NSM. 

Instead,  Juniper  told  us  that  we  should  send  security  alerts 
to  a  SYSLOG  server.  We  found  that  answer  unacceptable: 
When  the  alerts  are  sent  to  a  SYSLOG  server  other  than 
NSM,  the  workflow  process  is  broken,  and  managing  the  IPS 
policy  and  interpreting  its  results  becomes  an  impossible  task. 
Centralized  logging  has  to  be  coordinated  with  NSM,  espe¬ 
cially  in  the  area  of  intrusion  prevention.  In  the  past,  we’ve 
lauded  Juniper  for  the  value  that  NSM  brings  to  an  IPS 
deployment.  With  the  SRX  5800,  Juniper  takes  a  giant  leap 
backward  in  IPS  management. 

—  DAVID  NEWMAN  AND  JOEL  SNYDER 
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Sprint  offers  a  robust  foundation 

Sprint  announces  Global  MPLS  and  SIP  Trunking  services  to  support  Microsoft  Office  Communications 
Server  2007  Release  2  and  puts  the  technology  to  use  internally  to  improve  productivity  and  save  millions. 


these  challenging  economic  times,  organizations  are  looking 
to  cut  costs  wherever  they  can — and  to  get  near-immediate 
payback  from  any  investments  they  do  make.  At  first  blush,  that 
may  seem  like  a  hostile  environment  for  launching  new  IT  initiatives. 
But  when  those  initiatives  provide  payback  in  less  than  a  year — and 
ongoing  productivity  improvements  and  cost  savings  thereafter— 
they’re  the  kind  of  investments  any  company  would  be  eager  to  make. 

Unified  Communications  (UC)  technology  not  only  promises  just  that 
kind  of  savings,  it  delivers.  The  technology  provides  the  ability  to  integrate 
various  forms  of  communications — including  voicemail,  e-mail,  instant 
messaging,  audio  and  video  conferencing — with  presence  capabilities 
that  make  it  easy  to  see  who  is  available  when.  Add  to  that  advanced, 
IP-enabled  calling  features  such  as  number  mobility,  “find  me,  follow  me” 
and  personalized  call  routing,  and  it’s  easy  to  see  how  UC  can  vastly 
improve  productivity,  by  making  it  far  easier  for  employees,  customers 
and  partners  to  get  in  touch  with  one  another  and  get  things  done. 

For  a  commissioned  study  conducted  on  behalf  of  Microsoft, 
Forrester  Consulting  interviewed  15  companies  that  use  Microsoft 
Unified  Communications  products  and  services 
and  applied  its  Total  Economic  Impact™  (TEI) 
methodology  to  a  composite  organization  meant  to 
represent  the  collective  experiences  of  all  15.  The 
composite  organization,  with  4,000  employees  and 
$900  million  in  annual  revenue,  realized  an  ROI  of 
563%  on  its  UC  deployment — even  adjusted  for  the 
inherent  risks  associated  with  the  project. 

While  the  total  benefits  Forrester  tallied  amount 
to  nearly  $57  million  (see  chart),  the  cost  of 
the  project  was  only  $6.8  million,  including  all 
hardware,  software,  professional  services,  training 
and  internal  administration. 

Sprint  can  echo  those  findings.  The  company’s 
internal  IT  department  will  realize  savings  of  more 
than  $6  million  per  year  in  telecom  costs  alone  from 
its  deployment  of  Microsoft  Office  Communications 
Server  2007,  which  is  bringing  Voice  over  IP  (VoIP)  and  Unified 
Communications  technology  to  nearly  500  Sprint  offices  nationwide. 

Sprint’s  UC  strategy  reflects  the  company’s  ability  to  enable  its  partners’ 
UC  solutions  with  best-in-class  convergence  solutions,  including: 

•  Sprint  Global  MPLS  virtual  private  network  service:  A  secure,  robust 
and  reliable  transport  network. 

•  Sprint  SIP  Trunking:  A  pure,  Session  Initiation  Protocol  (SlP)-based 
IP  service  that  includes  local  and  long-distance  services. 

•  Sprint  Wireless  Integration:  Technology  that  makes  Sprint  CDMA 
phones  full  participants  in  an  enterprise  UC  environment,  with  the 
same  capabilities  as  desktop  phones. 

Sprint  and  Microsoft,  working  together 

Sprint  is  also  working  with  Microsoft  to  help  deliver  to  customers  the 
same  kinds  of  benefits  Sprint  IT  receives.  Sprint  Global  MPLS  and  Sprint 
SIP  Trunking  services  complement  Microsoft  Office  Communications 
Server  2007  R2,  providing  the  kind  of  reliable,  high-performance  wide- 


area  network  services  that  UC  requires. 

For  its  part,  Microsoft  offers  best-of-breed  Unified  Communications 
technology,  landing  in  the  leaders’  quadrant  in  Gartner’s  September 
2008  report,  “Magic  Quadrant  for  Unified  Communications.” 
With  Microsoft  Office  Communications  Server  2007,  users  gain 
sophisticated  communications  capabilities  from  within  the  familiar 
interfaces  of  Microsoft  Office  System  applications,  making  it  simple  to 
take  advantage  of  the  benefits  Unified  Communications  has  to  offer. 

End-user  benefits 

For  end  users,  those  benefits  are  many.  Presence  capabilities 
enable  users  to  easily  see  the  status  of  others,  such  as  whether  they 
are  online  and  available,  in  a  meeting  or  out  of  the  office.  Click-to-call 
lets  them  literally  click  on  a  user’s  name  from  within  an  application  to 
initiate  a  phone  conversation. 

Office  Communications  Server  2007  R2  also  supports  mobility  in 
various  ways.  Workers  located  anywhere  with  a  high-speed  Internet 
connection  can  make  or  receive  calls  from  their  PCs  as  if  they  were 
in  the  office.  Because  the  entire  UC  infrastructure 
is  available  from  anywhere,  users  can  significantly 
improve  their  response  time  to  important  calls  or 
e-mails  from  colleagues,  partners  and  clients. 

Users  can  also  quickly  move  from  one  form  of 
communications  to  another  as  needs  dictate.  If 
they’re  on  a  phone  call  with  a  colleague  and  need  to 
share  a  document,  with  just  a  few  button  clicks,  both 
workers  can  be  in  a  Microsoft  Office  LiveMeeting 
session,  viewing  and  editing  the  document. 

Similarly,  it’s  a  simple  matter  to  switch  from 
instant  messaging  (IM)  to  a  voice  call  to  a 
videoconference.  With  both  desktop  and  room- 
based  videoconferencing  available  and  simple  to 
use,  companies  now  have  a  real  opportunity  to 
reduce  travel  costs. 

Benefits  to  IT 

UC  also  provides  significant  benefits  to  the  IT  department.  Microsoft 
Office  Communications  Server  2007  provides  a  simple,  reliable  platform 
for  implementing  VoIP  that  can  lower  telephony  costs  by  enabling  calls 
to  be  carried  over  the  same  wide-area  infrastructure  used  for  data — 
such  as  the  Sprint  Global  MPLS  network.  Customers  can  also  avoid 
outfitting  each  employee  with  an  expensive  desktop  phone,  enabling 
them  to  instead  attach  a  headset  to  their  desktop  or  laptop  computer 
and  enjoy  the  various  benefits  that  brings,  including  click-to-call. 

Organizations  that  have  already  implemented  VoIP  can  maximize 
their  investments  by  adding  advanced  UC  capabilities.  Microsoft 
Office  Communications  Server  2007  is  a  single  platform  that  combines 
multiple  UC  applications  on  its  own  and  integrates  seamlessly  with 
other  Microsoft  offerings,  including  Microsoft  Exchange  Server  2007 
and  Active  Directory.  That  makes  Office  Communications  Server  2007 
simpler  to  deploy  than  alternatives  that  require  patching  together 
applications  from  multiple  vendors. 


Sprint’s  internal  UC  effort 
is  expected  to  save  $6 
million  per  year  in  local 
carrier  charges,  plus 
another  $2  million  every  18 
to  24  months  by  obviating 
the  need  for  PBX  upgrades 
and  maintenance. 


for  Unified  Communications 


The  Sprint  advantage 

Sprint  adds  additional  benefits  to  a  UC  implementation  with  its  mix 
of  wide-area  network  services  and  integration  work  with  partners  like 
Microsoft. 

The  Sprint  Global  MPLS  offering  provides  the  foundation  for 
supporting  highly  secure  real-time  applications,  a  critical  element  for 
any  enterprise  UC  implementation.  Sprint’s  Global  MPLS  network  is 
a  high-performance,  reliable  offering  that  is  also  simple  to  price  and 
implement.  Customers  pay  only  a  port  and  access  charge,  with  no 
additional  fees  for  the  quality-of-service  levels  required  to  support  real¬ 
time  applications. 

Sprint  SIP  Trunking  provides  connections  to  UC  infrastructure  based 
on  the  SIP  signaling  protocol  for  setup  and  teardown  of  multimedia 
communications  sessions  over  the  Internet.  SIP  enables  compliant 
equipment,  such  as  IP  PBXs,  to  make  calls  directly  over  the  Internet, 
with  no  need  for  the  Internet-to-PSTN  gateways  required  with  some 
PBX-based  implementations.  Sprint  SIP  Trunking  supports  Microsoft 
Office  Communications  Server  2007  R2,  adding  to  existing  support  for 
equipment  from  Avaya,  Inc.,  Cisco  Systems,  Inc.  and  Nortel  Networks. 

Sprint  Wireless  Integration  enables  users  to  fully  integrate  their  Sprint 
CDMA  handsets  with  the  IP  and  UC  infrastructure.  Even  when  a  call  is 
placed  directly  to  the  wireless  handset,  users  have  all  the  functionality 
of  the  UC  environment  at  their  disposal.  That  means  calls  can  be 
transferred  seamlessly  between  mobile  phones  and  desk  phones. 
Users  can  also  configure  incoming  calls  to  ring  both  their  mobile  and 
desk  phones  simultaneously,  and  have  the  call  connect  to  whichever 
phone  answers.  Sprint  Wireless  Integration  is  available  today  with 
Cisco  and  Avaya. 

Sprint  puts  UC  to  work 

Sprint  is  also  making  investments  in  UC  technology  for  its  own  internal 
use,  as  the  company  is  in  the  process  of  deploying  the  technology  to 
some  489  offices  nationwide,  says  Joe  Hamblin,  manager  of  unified 
communications  for  client  services  in  Sprint’s  IT  organization.  When 
fully  deployed,  the  effort  is  expected  to  save  the  company  $6  million 
per  year  in  local  carrier  charges,  plus  another  $2  million  every  1 8  to  24 
months  by  obviating  the  need  for  PBX  upgrades  and  maintenance. 

Sprint  embarked  on  its  UC  project  to  replace  a  legacy  PBX  infrastructure 
and  to  deal  with  an  increasingly  mobile  workforce.  The  company  piloted 
Microsoft  Office  Communications  Server  2007  and  was  attracted  to  the 
cost  equation  it  presented.  Under  the  PBX  configuration,  the  monthly 
costs  for  a  typical  100-person  office  included: 

•  Two  ISDN  PRI  circuits  at  $800  to  $1 ,200  each 

•  A  “last  mile”  VPN  circuit  at  $400  to  $800 

•  Last-mile  voicemail  circuits  at  $400 

The  pilot  showed  all  of  that  could  be  replaced  with  a  single  Sprint  SIP 
Trunking  circuit  and  a  server  running  Microsoft  Office  Communications 
Server  2007  R2,  resulting  in  significant  cost  savings  at  each  location. 

After  field  trials  in  August  and  September  of  2008,  Hamblin’s  team 
initially  began  converting  two  to  four  sites  per  week,  and  is  now  up  to 
six  to  eight  sites  per  week.  Already,  though,  the  benefits  are  clear. 

Employees  find  it  easy  to  employ  UC  features  because  they  are 
tightly  integrated  with  the  Microsoft  Office  System  applications  they 
routinely  use.  From  the  Office  Communications  Server  client,  they 
can  instantly  see  the  availability  status  of  colleagues,  then  use  the 
most  appropriate  means  of  communications.  With  a  click  on  a  name, 
they  can  initiate  an  IM  session,  and  elevate  that  to  a  voice,  video  or 


Tallying  the  savings  from  Microsnft 
Unified  Cnmmunicatinns 

Forrester  Consulting  cites  the  following  savings  for  a 
composite  organization  representing  the  experiences  of  15 
I  companies  it  surveyed.  Savings  are  over  a  3-year  period. 


Productivity  improvements  for  Nearly  $20  million 
individuals  and  workgroups: 


Travel  cost  savings: 

Nearly  $15  million, 
conservatively 

Reducing  the  time  to 
complete  projects: 

About  $15  million 

Shortened  sales  cycle: 

$5  million 

Reduced  costs  for  dial-in 
conferencing  and  lower 
telephone  call  costs: 

$1.8  million 

SOURCE:  “The  Total  Economic  Impact  of  Microsoft  Unified  Communications 
Products  and  Services,"  October  2007,  a  commissioned  study  conducted  by 
Forrester  Consulting  on  behalf  of  Microsoft. 


conference  call  with  another  click  or  two. 

That  kind  of  ease  of  use  has  LiveMeeting  catching  on  quickly.  “In 
November,  we  conducted  over  19,000  LiveMeeting  sessions  on  our 
internal  OCS  platform,”  Hamblin  says. 

Mobile  phones  are  likewise  tied  in,  as  users  can  enter  their  mobile 
phone  numbers  and  have  calls  to  their  desk  phone  simultaneously  ring 
both  lines,  or  forward  calls  to  their  mobile,  home  or  any  other  number. 

Whenever  users  have  their  laptops  with  them  and  access  to  a 
broadband  Internet  connection,  they  can  make  and  receive  calls  and 
use  all  the  other  tools  as  if  they  were  in  the  office.  “We  look  at  it  as  work 
is  not  someplace  you  go,  but  something  you  do,”  Hamblin  says. 

Sprint’s  UC  implementation  also  enables  a  $50  headset  to  replace 
a  $500  handset  -  a  significant  savings  when  you’re  dealing  with 
thousands  of  employees. 

Leading  the  way  to  UC 

UC  technology  can  help  any  company  improve  productivity  while 
reducing  costs.  Companies  always  welcome  the  opportunity  to  save 
money,  but  it’s  even  more  important  in  a  challenging  economy.  Indeed, 
the  IT  dollars  they  save  with  UC  may  well  turn  into  investments  that 
generate  crucial  new  revenue,  while  productivity  gains  help  them 
become  more  nimble,  responsive  and  successful. 

With  its  combination  of  Global  MPLS  infrastructure,  SIP  Trunking  and 
the  advanced  mobility  technology  that  Sprint  Wireless  Integration  brings, 
Sprint  can  deliver  the  reliable,  high-performance  communications 
infrastructure  that  is  crucial  to  any  successful  UC  implementation. 
And  Sprint  has  put  the  effort  into  integrating  with  leading  UC  software 
providers  like  Microsoft  so  that  every  deployment  can  be  confident  their 
software  will  work  with  the  Sprint  infrastructure.  Sprint’s  even  got  the 
hands-on,  “walk  the  talk”  experience  within  its  own  IT  team  to  prove  it. 


Learn  more  about  Sprint  services  that  support  Unified  Communications. 

Visit:  www.sprint.com/convergence 


FTC  principles  for  behavioral  advertising 


The  Federal  Trade  Commission  recently 
published  a  somewhat  tweaked  set  of  self¬ 
regulation  guidelines  for  companies  col¬ 
lecting  information  on  the  actions  of  Internet 
users  for  the  purpose  of  providing  advertising 
to  those  users.  I  expect  the  FTC  does  not  feel  it 
has  the  authority  to  make  any  binding  rules 
without  congressional  action.  But,  even  agree¬ 
ing  with  that  limitation,  these  principles  are 
underwhelming  and,  as  demonstrated  by 
Google,  are  limited  in  usefulness  even  where 
companies  claim  to  meet  them. 

The  four  FTC  principles  are  at  the  end  of  a  staff  report  titled  “Self- 
Regulatory  Principles  For  Online  Behavioral  Advertising.”They  basically 
try  to  encourage  good  behavior  on  the  part  of  companies  engaged  in 
behavioral  advertising. The  principles  are: 

1. Transparency  and  customer  control  — Web  sites  collecting  data  to 
be  used  in  behavioral  advertising  should  inform  users  and  enable 
them  to  opt  out. 

2.  Reasonable  security  and  limited  data  retention  for  customer  data 
—  anyone  collecting  such  data  should  provide  reasonable  security  for 
it  and  only  retain  the  data  as  long  as  needed. 

3.  Affirmative  express  consent  for  material  changes  to  existing  priva¬ 
cy  promises  —  new  privacy  policy  should  not  control  use  of  data  col¬ 
lected  under  previous  privacy  policy  without  user  opt-in. 

4.  Affirmative  express  consent  to  use  sensitive  data  for  behavioral  ad¬ 
vertising  —  such  data  (like  Social  Security  numbers)  should  not  be 
used  without  user  opt-in. 

These  principles  are  OK,  but  have  no  teeth:  they  are  voluntary  and 
there  is  little  if  any  real  penalty  if  a  company  ignores  them. The  FTC 
might  ask  the  companies  pretty  please  to  stop,  but  that’s  about  it. 

My  biggest  problem  with  the  FTC  principles  is  that  they  represent  yet 


another  point  solution  to  a  symptom  rather  than  anything  addressing 
the  underlying  cause. 

Why  should  principles  such  as  these  be  limited  to  the  specific  case 
of  behavioral  advertising?  Why  shouldn’t  we  have  principles  that  apply 
to  all  information  about  me  that  someone  else  gets  a  hold  of? 

The  FTC  principles  have  been  diluted  in  favor  of  the  advertising  in¬ 
dustry  rather  than  being  shaped  primarily  by  our  best  interests.  I  note 
that  the  FTC  staff  lists  industry  representatives  first  when  identifying 
who  they  talked  to. The  principles  are  not  all  one-sided  —  they  do  in¬ 
clude  some  things  that  the  industry  objected  to,  but  not  many. 

Google  has  expressed  support  for  the  FTC’s  action,  but  this  may  be  a 
very  good  example  of  what  is  lacking  in  these  principles.  As  I  men¬ 
tioned  in  last  week’s  column,  Google  is  less  than  forthcoming  when 
addressing  the  transparency  requirement.  I  have  not  been  able  to  fig¬ 
ure  out  just  what  they  collect  about  me  and  my  actions  with  their  vari¬ 
ous  tools  (including  the  basic  search  engine,  Google  Analytics,  Google 
Earth  and  Google  Latitude). 

After  last  week’s  column  I  was  contacted  by  someone  from  Google 
who  said  my  fears  about  Latitude  were  overblown  because  they  only 
keep  a  single  location,  the  last  one  received,  for  people  who  have  en¬ 
abled  location  sharing  via  Latitude. That  is  good  news.  When  I  asked 
where  on  the  Google  Web  page  the  company  says  that,  the  response 
was  that  it  was  towards  the  end  of  a  video  on  YouTube.This  is  a  perfect 
example  of  what  is  wrong  with  the  FTC  principles  —  Google  cannot 
even  get  it  together  enough  to  put  good  privacy  news  on  its  Web  page 
in  a  way  that  the  user  can  find  and  understand  it. 

Disclaimer:  Understanding  underlying  principles  is  a  goal  of  any 
good  educational  intuition,  but  I  know  of  no  Harvard  view  on  this 
example,  so  the  above  is  my  principled  review. 

Bradner  is  Harvard  University’s  technology  security  officer.  He  can  be 
reached  at  sob@sobco.com. 


NET  INSIDER 

Scott  Bradner 


ATM  hack:  Organized  crime  or  market  forces? 


In  November  of  2008,  a  single  scam  netted 
more  than  $9  million  in  a  global  automated 
teller  machine  heist. According  to  the  FBI 
the  attackers  compromised  pre-paid  payroll 
cards  from  RBS  WorldPay  and  gift  cards,  launch¬ 
ing  a  coordinated  attack  against  more  than  130 
ATMs  in  49  cities  around  the  world.The  cards 
were  exploited  by“cashers”  who  withdrew 
money  during  a  single  30-minute  window.  If  the 
preliminary  findings  of  the  FBI  turn  out  to  be 
true,  this  could  represent  one  of  the  most  orga¬ 
nized  attacks  in  cybercrime  history 
Many  security  researchers  have  been  looking 
at  the  rise  of  professional  cybercrime  as  a  uniquely  worrying  phenom¬ 
enon.  Gone  are  the  days  of  the  juvenile  hacker  working  alone  for  fame 
and  glory  Increasingly  the  motive  for  cybercrime  is  financial  and  the 
perpetrators  are  professionals. 

Looming  in  the  background  is  the  more  frightening  possibility  of 
organized  cybercrime,  where  multiple  cyber-criminals  work  in  vast 
conspiracies  to  pull  off  mega-heists.  According  to  the  FBI  these  are 
often  connected  to  other  criminal  activities  either  as  the  sources 
or  recipients  of  laundered  funds  for  drugs,  gambling,  prostitution 
and  even  terrorism. 

But  crime  doesn’t  have  to  be  organized  or  conspiratorial  to  be  large 
and  worldwide.  My  concern  is  not  in  a  vast  conspiracy  of  criminal 
organizations  but  in  an  even  bigger  result  achieved  purely  through  the 
loose-coupling  of  market  forces.  Let’s  take  the  ATM  heist  as  an  example 
—  is  it  easier  to  pull  off  a  command-and-control  exploit  across  49 
countries  with  more  than  130  subcontractors?  Or  were  the  cashiers 


simply  the  participants  in  a  multi-level  loosely  coupled  market? 

A  criminal  organization  that  can  harness  130  or  more  individuals 
and  coordinate  their  actions  in  49  countries  is  scary.  But  a  market¬ 
place  that  can  lead  to  the  emergent  collaboration  of  130  or  more 
actors  is  far  scarier. 

Firstly,  a  conspiracy  doesn’t  scale.  Eventually  it  gets  too  big  for  its  own 
good.  Someone  blows  the  whistle  or  someone  already  under  legal  sur¬ 
veillance  gets  involved  and  reveals  the  whole  plan.  It’s  hard  to  run  any 
organization  of  that  size  without  middle  management  and  eventually 
even  a  criminal  organization  will  have  to  deal  with  diminishing 
returns.  But  a  market  is  altogether  far  more  efficient.  If  once  the  cards 
were  compromised  they  were  sold  to  smaller  organizations  or  individ¬ 
ual  cashers  the  entire  scheme  can  scale  to  much  greater  size.  Of 
course,  you  would  need  to  tell  all  the  buyers  that  the  card  will  only 
work  during  a  30-minute  window  and  let  their  own  profit  motive  keep 
them  on  time.  Worse  are  the  implications  for  law  enforcement.  A  mar¬ 
ket  can  operate  through  opaque  and  anonymous  cash  transactions. 
The  cashers  may  have  no  idea  who  sold  them  the  cards. The  sellers  in 
turn  have  no  idea  who  cloned  the  cards,  the  cloners  don’t  know  who 
hacked  the  bank.The  FBI  has  the  photos  of  two  of  the  cashers  in  a 
wanted  poster. 

Unfortunately,  if  this  is  not  organized  crime  but  loosely  coupled 
markets  at  work,  these  cashers  may  have  had  as  much  contact 
with  the  hacking  organization  as  a  drug  mule  has  with  the  opium 
farmer. 

Antonopoulos  is  a  senior  vice  president  and  founding  partner  at 
Nemertes  Research,  an  independent  technology  research  firm.  He  can  be 
reached  at  andreas@nemertes.com. 
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TECH  UPDATE 

111  An  inside  look  at  technologies  and  standards 


Getting  a  handle  on  mobile  devices 


BY  DAN  DEARING 

While  business  users  are  thrilled  by  the  capabilities  of  smartphones 
and  quickly  adopting  them  as  handheld  computers,  it  is  unlikely 
their  IT  counterparts  share  in  the  excitement  because  traditional 
management  platforms  have  not  provided  the  tools  to  effectively  secure 
and  manage  them.  Until  the  arrival  of  Enterprise  Mobility  Management. 


EMM  provides  a  Web  services  platform  to 
manage  and  secure  smartphones  and  rugged 
devices  regardless  of  manufacturer.  This  EMM 
addresses  the  nuances  of  smartphone  technol¬ 
ogy  while  also  providing  tools  that  are  similar 
to  those  used  by  IT  to  manage  and  secure  lap¬ 
tops  and  desktops.  An  established  EMM  plat¬ 
form  includes: 

•  Heterogeneous  device  support:  Policy- 
based  security  and  control  for  iPhone  and 
other  non-BlackBerry  devices,  which  includes 
device  loss  protection;  endpoint  security;  data- 
leak  protection;  network  access  control  (NAC) 
and  identity  management. 

•  Centralized  management:  Enterprise-grade 
device  management,  providing  centralized 
provisioning,  compliance  enforcement,  asset 
reporting,  help  desk  diagnostics  and  a  self-ser¬ 
vice  user  portal  via  a  secure  over-the-air  SSL 
connection. 

•  User  compliance  facilities:  Reporting  and 
enforcement  facilities  to  ensure  user  compli¬ 
ance  with  IT  mobility  policies. 

An  enterprise  mobility  strategy  must  satisfy 
stakeholders  throughout  IT,  including  informa¬ 
tion  assurance,  administration  and  operations 


and  the  user-facing  help  desk  team. 

The  EMM  console  lets  security  administrators 
create  policies  for  each  user  based  on  the  type 
of  smartphone  used  and  the  security  posture 
associated  with  the  user’s  job.  Policy  assign¬ 
ments  can  also  be  made  based  on  the  user’s 
membership  within  various  groups  listed  in 
the  enterprise’s  directory  service. 

For  example,  a  corporate  executive  may 
require  a  more  liberal  security  policy  while  a 
field  sales  representative  might  need  a  higher 
security  policy  because  there  is  greater  oppor¬ 
tunity  for  device  loss. 

All  policies  are  delivered  over  the  air  to  the 
smartphone  agent  that  enforces  the  policy 
Console  reporting  tools  can  be  used  to  track 
the  security  posture  of  each  user  device  for 
compliance  reporting.  NAC  capabilities  are  also 
an  essential  part  of  the  EMM  platform  and  give 
the  IT  team  a  way  to  ensure  user  compliance. 

The  EMM  platform  provides  administrators 
with  a  way  to  discover  and  catalog  deployed 
handheld  mobile  devices.  Details  about  device 
hardware,  software  and  status  are  gathered  and 
transmitted  to  the  EMM  on  a  configurable 
schedule.  Information  about  the  population  of 


mobile  devices  —  number  of  devices,  serial 
and  model  numbers,  and  amount  of  RAM  — 
are  provided  by  reporting  tools  found  within 
the  EMM  console  and  can  be  used  to  help  plan 
and  maintain  an  enterprisewide  deployment. 

While  helping  to  maintain  and  track  each 
device,  the  EMM  platform  also  supports  policy- 
controlled  and  automated  deployment  of 
applications,  simplifying  the  deployment  pro¬ 
cess.  The  platform  should  also  support  the  in¬ 
stallation,  removal  and  upgrading  of  applica¬ 
tions  by  group  policy 

The  EMM  platform  provides  help  desk  tools 
for  image  management,  deployment  and 
reporting  while  also  providing  remote  interac¬ 
tive  diagnostics  that  help  resolve  issues  without 
requiring  users  to  surrender  their  devices. 

In  addition,  EMM  Self-Service  Pbrtals  can 
help  offload  the  help  desk  of  routine  issues 
such  as  forgotten  password  and  device  unlock- 
ing.This  resource  should  be  accessible  to  users 
from  a  browser  on  their  mobile  device  or  lap- 
top.The  portal  should  provide  users  with  quick 
and  easy  access  to  FAQs,  policy  guidelines, 
device  documentation  and  software. 

In  summary,  when  you’re  evaluating  an  EMM 
platform  ask  yourself  these  three  questions: 

•  Is  the  solution  based  on  centralized  man¬ 
agement  that  eliminates  operational  expense 
by  simplifying  how  IT  administrators  and  help 
desk  specialists  implement  policies,  assist 
users  and  enforce  compliance  for  mobile 
applications  across  the  enterprise? 

•  Will  the  EMM  platform  offer  IT  the  ability  to 
secure  and  manage  a  truly  heterogeneous 
smartphone  environment  while  having  the 
ability  to  assist  in  addressing  the  needs  of  a 
mobile  workforce? 

•  Will  the  EMM  solution  help  the  CIO  to  con¬ 
trol  smartphone  costs  while  also  protecting 
corporate  information? 

If  a  thorough  evaluation  and  selection  pro¬ 
cess  has  been  done  then  an  enterprise  will 
reap  the  benefits  of  EMM  that  include  avoiding 
data  center  expenses  by  integrating  with  direc¬ 
tory  services,  database  resources  and  VPN 
infrastructure.  These  capabilities  will  enable 
you  to  provide  choices  of  smartphones  and 
applications  to  best  meet  the  mobility  needs  of 
workers. 

Dealing  is  vice  president  of  Marketing  and 
Product  Management  at  Trust  Digital.  Contact 
him  at  ddearing@trustdigital.com. 


This  vendor- written  tech  primer  has  been 
edited  by  Network  World  to  eliminate  prod¬ 
uct  promotion,  but  readers  should  note  it 
will  likely  favor  the  submitter's  approach. 


sample  profiles 

Data  Protection  Security  Policy 

(Example:  Corporate  Executive) 

High  Security  Policy 

(Example:  Field  Sales  Representative) 

Administrative  support 
functionality 

General 

Admin  PW  access  &  reporting 

Admin  PW  access  &  reporting 

Help  Desk 

Wipe,  remote  unlock,  uninstall 

Wipe,  remote  unlock,  uninstall 

Data  protection 

Encryption  Method 

AES  256 

AES  256 

Protected  Files 

PIM  &  "Office"  Docs  and  IE 

PIM  &  "Office"  Docs  and  IE 

User  authentication 

Password 

6  character  PIN,  10  attempts,  Wipe 
after  failure,  Idle  timer  5  minutes 

6  character  PIN,  10  attempts,  Wipe 
after  failure,  Idle  timer  5  minutes 

Peripheral  &  resource 
control 

Infrared  "beaming" 

On 

Blocked 

Wi-Fi 

On 

Blocked 

Bluetooth 

On 

Blocked 

Camera 

On 

Blocked 

SD  Card 

Allowed  /  Encrypted  -  All  Files 

Allowed  /  Encrypted  -  All  Files 

Application  management 

Image  lock 

Off 

On 

8MS/MMS  supervision 

Off 

On 

IP  supervision 

Off 

On 

Web  browser 

Allowed 

Blocked 

Administrative  controls 

Login  monitor 

On  -  After  15  days,  device  will  auto¬ 
matically  wipe 

On  -  After  15  days,  device  will 
automatically  wipe 
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TiddlyWiki  macros  and  plugins 

i 


Mark  Gibbs 


n  this,  the  penultimate  installment  on  the 
wonders  of  TiddlyWiki,  the  free,  open  source, 
personal,  portable  wiki  system,  we’ll  look  at 
two  of  the  three  topics  promised  last  week, 
TiddlyWiki’s  macros  and  plugins. 
GEARHEAD  Macros  and  plugins  let  you  change  the  behav¬ 
ior  of  TiddlyWiki  without  having  to  change  the 
source  code. 

Both  macros  and  plugins  are  JavaScript  code 
stored  in  tiddlers  (TiddlyWiki’s  basic  unit  of  content)  that  are  labeled 
with  the  tag“systemConfig”.This  allows  the  TiddlyWiki  system  to  identify 
them  as  code. 

TiddlyWiki  includes  a  number  of  macros, such  as  newTiddler,  which  is 
shown  as  a  link  in  the  right-hand  menu  of  the  standard  distribution  and, 
as  you  might  guess,  creates  a  new  tiddler. 

There’s  also  a  sparklines  macro  that  creates  sparkline  graphics;  tabs, 
which  create  a  tabbed  presentation  inside  a  tiddler;  and  slider, which  cre¬ 
ates  a  button  that  slides  out  text  when  clicked.The  difference  between  a 
macro  and  a  plugin  is  that  plugins  are  executed  at  load  time  while 
macros  are  called  when  individual  tiddlers  are  opened  or  other  events 
occur,  such  as  buttons  being  clicked.  Also,  after  a  plugin  has  executed  at 
load  time,  it  can  provide  code  to  be  invoked  by  a  macro,  making  the  dis¬ 
tinction  between  the  two  a  little  loose. 

Here’s  a  simple  plugin  that  consists  of  a  code  fragment  in  a  tiddler  that 
is  tagged  with  “systemConfig”: 

//{{{ 

alert(“Hello  world”); 

//}}} 

At  start-up  the  code  fragment  will  be  executed  and  display  the  mes¬ 
sage  “Hello  world”.  This  technique  is  often  used  for  making  global 
changes  to  the  TiddlyWiki  architecture  before  the  user  gets  involved. 


To  create  a  macro  we  need  to  modify  the  code  and  add  the  macro’s 
name  to  the  global  object  “config.macros”  and  then  declare  a  handler 
for  that  name.  We  now  have  a  macro,  actually  a  JavaScript  function, 
which  can  be  executed  on  demand.  Here’s  what  a  macro  looks  like: 

//{{{ 

config.macros.helloWorld  =  { 

handler:  function  (place,  macroName,  params,  wikifier,  paramString, 
tiddler) 

{ 

//  this  will  run  when  macro  is  called  from  a  tiddler 
var  who  =  params [0]  II  “world”; 
alert(“Hello  “  +  who); 

} 

}; 

//}}} 

Like  the  plugin,  in  the  code  is  the  content  of  a  tiddler  and  it  is  tagged 
with  systemConfig. 

Macros  can  be  very  sophisticated  and  include  features  such  as  para¬ 
meter  passing,  domain  object  model  awareness,  calling  tiddler  identifi¬ 
cation. To  use  the  above  macro  from  a  tiddler  you’d  include  the  text: 

cchelloWorld  ‘all  TiddlyWiki  fans’» 

The  angle  brackets  are  TiddlyWiki  markup  defining  a  macro  call.  In  this 
case,  the  helloWorld  handler  will  be  called  when  the  tiddler  is  opened 
and  a  dialog  box  containing  the  message  will  be  displayed  (if  no  argu¬ 
ment  is  provided  the  macro  would  print  “Hello  world”). 

There  are  a  few  guides  to  creating  custom  macros  such  as  the  one  at 
TiddlyWiki  Guides  (www.nw.docfinder.com/8825),  but  they  are  not  for 
the  faint  of  heart  as  they  are  mostly  short  on  detail  and  incomplete. 


Gibbs  is  plugged 
gearhead@gibbs.  com. 


in  Ventura,  Calif.  Run  your  code  at 


BodyGuardz:  Too  much  work 


In  the  nine  or  so  years  that  I’ve  been  writing 
this  column,  I’ve  come  across  only  a  few  prod¬ 
ucts  that  have  looked  good  on  paper,  but  after 
opening  the  box  or  trying  out  the  device,  things 
quickly  went  downhill. 

Such  is  the  case  with  BodyGuardz, 
a  scratch-proof,  transparent 
film  “for  electronic  de¬ 
vices”. The  version  I  got  was 
for  the  Apple  iPhone  3G,  and  it  looks  like  the 
countless  number  of  other  protection 
devices  or  materials  that  aim  to  protect  your  |,J|| 
mobile  device.The  box  says  that“BodyGuardz  y  y 
are  a  clear  film  that  covers  the  body  of  a 
device,  providing  scratch  protection  from  out-  ||| 
side  elements.’Tn  fact, they’re  made  of  the  same  H 
materials  used  to  protect  “the  front  of  automo¬ 
biles  from  stones  and  other  abrasive  elements.” 

I  figured  I  would  just  slip  on  the  film  like  some 
of  these  other  protective  sleeves, and  it  would  be 
a  quick  write-up.  But  then  I  opened  the  box,  and 
discovered  an  “application  solution”  and  a 
“squeegee  card”, along  with  four-step  instructions 
on  how  to  apply  the  film  to  the  iPhone.  A  closer 
inspection  of  the  application  solution  revealed  that 
while  “not  harmful”,  it  was  made  of  water  and  baby 
shampoo.  Umm  . . .  OK. 

It  gets  better  (or  worse, depending  on  your  point  of  view). First,  I  had  to 
make  sure  I  was  installing  the  film  in  an  area  that  was  between  60  and 
90  degrees,  and  to  make  sure  that  wind  and  dirt  were  not  in  the  area 
(“wind  and  dirt  are  your  enemies”  was  one  hint  offered). 


Next,  1  was  instructed  to  wet  my  hands  with  the  application  solution, 
and  keep  them  wet  whenever  handling  the  film.  In  peeling  off  the  film 
from  the  liner,  I  was  instructed  to  spray  the  sticky  side  with  the  solution, 
to  prevent  the  film  from  folding  and  sticking  to  itself  before  laying  it  on 
the  device.  If  this  worked,  the  next  step  was  to  lay  the  piece  of  film  onto 
the  device  and  position  it  correctly  It  seemed  a  lot 
like  doing  papier-mache,  or  molding  a  clay  pot  on 
a  spinning  wheel. 

Step  three  and  four  involved  using  the  squeegee 
card  to  get  rid  of  any  extra  moisture,  soap  or 
air  bubbles,  with  the  warning  that  if  I  tried  to 
remove  the  film  after  10  minutes,  it  would 
leave  fingerprints  on  the  film. 

The  instructions  offered  extra  hints,  such 
as“be  prepared”, “go  slow  until  you  are  more 
experienced”,  and  “don’t  be  afraid  to  keep 
spraying.”  After  reading  these  instructions,  I 
decided  to  pass  on  putting  this  film  onto  my 
iPhone,  or  on  any  other  electronic  device.  It 
seemed  like  an  awful  lot  of  work,  just  so  I 
could  protect  my  iPhone  from  scratches  - 
especially  when  there  are  protective  cases 
and  covers  that  don’t  involve  wetting  my 
hands  with  baby  shampoo  and  water. 

I’m  sure  there’s  someone  braver  (and  more 
patient)  than  me  who  wants  to  try  and  apply 
one  of  these  films  to  their  electronic  device.  If  that’s  the  case, send  me  an 
e-mail  and  I’ll  mail  you  the  package. 

Grade:  ★  (out  of  five) 

Shaw  can  be  reached  at  kshaw@nww.com. 


C00LT00LS 


BodyGuardz  made  it  too  painstaking 
to  use  just  to  protect  a  mobile 
device  from  scratches. 
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Compliance  is  tough 
unless  you  are  prepc 
for  what  is  coming. 


Tenable  Network  Security  provides  a  suite  of  solutions  that  provide 
real-time  compliance  monitoring.  Because  networks  are  constantly 
changing,  monitoring  your  network  in  real-time  not  only  helps  you 
know  that  you  are  ready  for  the  next  external  audit  but  also  gives 
you  greater  situational  awareness  of  your  overall  security. 


www.tenablesecurity.com/solutions 


Visit  us  at  the  RSA  Conference  2009 
April  20-24  in  San  Francisco 
Booth  756 
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Six  must-have 
products  in 
readers’  own 
words 

1.  AppRiver’s  Microsoft  Exchange 
Hosting  with  Shoreline 

Antonio  Palumbo,  IT  manager  with  Blue 
Man  Productions,  in  New  York,  says  . . . 


Tools 


O ourfoad  dwvn  software 
as  Ctittock  and  Entourage  cr 
VMWf  reports  for  mailbox  and 
quota  usage. 


View  you*  MX  record*  *fnt  mail 
routing  information.  Enable  at 
disable  eplir-domaw*  muting  for 
your  rfomauv 


When  I  came  here,  Blue  Man  management  had 
started  the  process  of  moving  from  [Alt-N 
Technologies’  MDaemon  email  server]  to  AppRiver 
by  putting  any  new  employee  on  AppRiver  Exchange 
Hosting.  I  was  happy  about  that,  but  I  wanted  to  be 
sure  we  had  everyone  on  AppRiver.  With  MDaemon, 
we  were  constantly  getting  bombarded  with  trouble 
tickets,  so  every  time  we  moved  a  user  to  AppRiver, 
that  would  mean  one  less  problem  because 
Exchange  Hosting  is  so  solid. 

I  knew  that  getting  everybody  on  the  same  email 
system,  with  unlimited  storage,  was  going  to  make 
everyone’s  life  a  lot  easier  and  simpler. 

Today  all  that  storage  is  no  longer  a  problem.  It’s  on 
AppRiver’s  servers  and  backed  up  constantly,  with 
redundancy  across  the  AppRiver  infrastructure.  Plus, 
users  can  check  their  email  anywhere  in  the  world 
as  long  as  they  have  an  Internet  connection. 

Blue  Man  is  a  very  fun,  mobile  and  young  compa¬ 
ny  Everybody  knows  Blue  Man  for  the  theatre  pre 
duction,  but  we  also  have  a  school,  the  Blue  Man 
Creativity  Center  in  New  York  for  children.  E-mail,  of 
course,  is  a  huge  part  of  that.  People  don’t  just  sit  at 
their  desks  at  Blue  Man.  They’re  always  walking 


around,  and  traveling  internationally 
and  the  fact  that  they  never  have  to  be 
concerned  about  getting  their  e-mail 
means  they  can  focus  on  their  cre¬ 
ative  strategies. 

A  lot  of  folks  here  have  company-issued  BlackBerries,  but  they  also  have 
iPhones.  AppRiver  is  one  of  the  first  companies  to  offer  iPhone  support,  with 
Microsoft  Exchange  ActiveSyncThat  was  a  huge  plus  for  us.  In  the  corporate  envi¬ 
ronment,  when  folks  come  in  with  iPhones  and  say,  “Hey  can  we  set  this  up  with 
Exchange?”  nine  out  of  10  times  the  answer  is  no.  But  here  at  Blue  Man,  it  was  a 
definite  yes,  and  that  makes  things  flow  a  lot  easier. 

Every  piece  of  email,  no  matter  the  device,  goes  through  AppRiver  servers.  We 
have  over  600  users,  who  each  get  more  than  100  to  200  emails  per  day,  so  we  do 
huge  volume.  AppRiver  helps  me  sleep  easy  at  night. 

For  management,  AppRiver  provides  us  with  the  Secure  Hosted  Exchange  with 
Shoreline  interface,  which  is  amazing.  I  can  log  into  a  public  Web  site,  with  a 
secure  connection,  from  anywhere  in  the  world  and  create  an  e-mail  account  on 
the  fly  From  the  application  standpoint,  I  go  into  Shoreline,  download  a  password 
request  form,  hit ‘next’ and  everything  is  configured  for  me. 

Accounts  are  easy  to  set  up,  and  the  return  on  investment  is  unbelievable.  By 
using  AppRiver  we  save  from  25%  to  30%  per  year,  depending  on  the  user  base, 
which  changes  month  to  month.  First,  we  don’t  have  to  buy  more  hard  drives  and, 
from  a  support  standpoint,  we  have  no  need  to  have  a  full-time  Exchange  admin¬ 
istrator.  That  saves  us  $100, 000.  And  AppRiver  pricing  is  very  aggressive  per  user. 

See  Faves,  page  26 


£ 


Users 


SI  Groups 


a 


Co 


Add,  remove  adit  your  Add,  remove  and  edit  vou < 

user  accounts.  Run  the  Email  qrctip  account*.  Add  and 
Wt&ard  tc  configure  diont  remove  ueer*  to  end  from 

settings*  groups. 


l/*a  irwvt-enafc* 
forwarding  mas 
external  email 


24  *  FEBRUARY  23,  2009  •  www.networkworld.com 


STEVEN  VOTE 


Running  business  apps  on  servers  that  aren’t  scalable,  along  with  demanding 
service  levels,  is  consuming  energy  at  an  exponential  rate.  Break  the  cycle 
with  highly  scalable  IBM  servers.  IBM  PowerVM™  virtualization  technology 
can  help  you  consolidate  workloads  from  twelve  single-application  16-core 
HP  Integrity  rx7640  systems  onto  two  16-core  Power™  570  systems  for  up  to 
18%  higher  performance  and  reduced  energy  requirements  of  up  to  44%:  A 
greener  world  starts  with  greener  business.  Greener  business  starts  with  IBM. 

X - 


SOFTWARE.  SERVICES,  to R  A  GREENER  WORLD. 

Learn  how  to  improve  app  performance  at  ibm.com/green/performance 


'For  complete  details,  go  to  ibm.com/green/claim.  IBM,  the  IBM  logo,  ibm.com,  PowerVM  and  IBM  Power  570  are  trademarks  of  International  Business  Machines  Corporation,  registered  in  many  jurisdictions 
worldwide.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  ‘Copyright  and  trademark  information"  at  www.ibm.com/legal/copytrade.shtml  ©  2008  IBM  Corporation  All  rights  reserved. 


mEOHSOK 


I  2.  Beyondlrust's  Privilege  Manager 

I  Ned  Cahill ,  IT  director  at  Schnabel  Engineering, 
in  Glen  Allen,  Va. ,  says  . . . 


We  were  running 
Symantec,  and  a  year  to 
a  year  and  a  half  ago,  an 
upgrade  broke  all  the 
servers  and  was  a  disas¬ 
ter  on  the  laptops.lt  took 
us  four  or  five  days  to  get 
it  working  correctly 
We  said, ‘There’s  got  to  be  a  better  way. 
How  do  we  stop  malware  from  coming 
in,  other  than  fighting  these  ridiculous 
virus  programs  constantly?’  Then  the  idea 
came  up, ‘You  know,  if  they’re  not  admin¬ 
istrators, the  software  can’t  install.’  And  we 
thought  that  was  a  brilliant  idea,  and  start¬ 
ed  futzing  around  looking  for  tools  that 
would  accomplish  the  task. 

We  needed  a  tool  that  would  let  us  bal¬ 
ance  what  users  need  to  do  their  jobs 
against  what  we  need  to  keep  malware 
from  coming  in.  Compliance  was  an 
issue,  too.  I  work  with  engineers  who 
installed  software  because  it  was  the  tool 
they  needed  to  do  their  jobs  at  that 
moment  regardless  of  licensing  issues. 

But  they  were  installing  software  that  we 
[IT]  thought  we  could  get  bit  in  the  butt 
on,  and  we  decided  that  had  to  stop,  too. 

Surprisingly,  we  didn’t  find  many  tools 
and  those  we  did  find  were  homegrown, 
difficult  to  set  up  and  deal  with  and  did¬ 
n’t  really  fall  under  Active  Directory, 
which  is  big  for  us.  It  wasn’t  until  we  dis¬ 
covered  the  term  “least  privilege”  that  we 
came  across  Beyondtrust.  We  down¬ 
loaded  Privilege  Manager  and  in  about 
an  hour,  we  had  accomplished  what  we 


we  wanted,  which  was  pull  administra-  i 
tor  rights,  but  still  give  users  the  ability  to  : 
do  their  job. 

BeyondTrust  also  is  very  good  with  sup-  i 
port.  If  you  have  a  question  and  send  an  j 
e-mail,  you’ll  get  an  answer  that  day  You  j 
don’t  get  that  with  a  lot  of  vendors,  so  I  : 
like  that.  1  want  to  be  a  big  fish  in  some-  j 
body’s  small  pond. 

We  have  400  users  scattered  nationwide,  j 
and  100  of  them  can  be  anywhere  in  the  j 
world.  We’re  in  foreign  countries  all  the  j 
time,  and  users  have  to  be  able  to  connect  i 
and  work.  It’s  very  tricky  to  do  if  you  take  ; 
away  their  admin  rights,  but  we’ve  had  no  j 
problem  at  all.  I  don’t  want  to  keep  adding  j 
support  people.  I  want  my  support  guy  to  i 
be  able  to  take  care  of  more  people,  and  I 
these  kinds  of  tools  help. 

And  BeyondTrust  is  transparent  to  : 
users.  It  installs  through  an  Active  | 
Directory  policy  We  did  the  installation  in  : 
about  three  hours  —  we  just  told  every-  j 
body  to  reboot.  It  was  great  —  and  not  ; 
having  to  spend  my  nights  chasing  down  j 
a  virus  has  been  fantastic. 
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3.  Apple’s  Macintosh  computer 


Jake  Seitz,  enterprise  architect,  The  First  America 
Corp.,  Santa  Ana,  Calif.,  says  . . . 


The  first  time  1  got  my  hands  on  a  Mac  was 
probably  in  ’85  or  ’86,  at  the  computer  science 
lab  in  college.  That  was  the  beginning  of  the 
desktop  phenomenon.  In  late  80s,  everybody 
started  going  with  Windows  as  well,  but  the 
Mac  just  kind  of  stuck  with  me. 

In  the  corporate  environment,  we  use  Macs 
for  just  about  everything  —  for  audio  and 
visual,  for  videoconferencing,  for  typical  tasks,  like  Word  and 
Exchange.  So  really  from  my  perspective  as  an  architect,  I  use  it 
for  just  about  everything.  Of  course,  I  also  use  Windows 
machines  at  work.  Each  has  its  pros  and  cons. 

1116  corporate  policy  here  is  Windows-based,  but  you 
can  opt  out  for  a  Mac  and  receive  partial  sup¬ 
port.  “Crusade”  is  probably  too  strong  a  word,  4  x  \ 
but  1  definitely  have  persuaded  some  folks  here 
at  work  that  Macs  might  be  the  best  fit  for  them, 
so  we’re  starting  to  see  more  and  more  Macs  pop  up. 
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4.  Microsoft  Exchange  2007  SP1 

Bryce  Morrow,  CTO  at  The  Beck 
Group,  in  Dallas,  says  . . . 

We’d  been  using  Lotus  Notes 
since  around  ’97  timeframe, and 
by  2006  we  felt  it  had  atrophied. 

That’s  when  we  really  started 
talking  about  needing  more 
integration  between  CRM,  other 
applications  and  e-mail. 

Integration  is  our  business, 
not  from  a  technology  standpoint,  but  from  a  busi¬ 
ness-process  standpoint.We  have  done  a  good  job 
of  becoming  an  integrated  firm,  so  I  felt  like  we 
needed  a  product  that  would  allow  us  to  do  more 
of  that  —  be  integrated  and  grow  in  an  integrated 
manner. That’s  not  to  say  Lotus  Notes  couldn’t  do 
that,  but  we  didn’t  have  the  staff  to  continue  devel¬ 
oping  for  it  at  the  rate  we  needed. 

In  July  '07, 1  started  looking 
at  Google  Apps  and 
Exchange.  I  felt  that  the 
online  application  service 
was  around  the  corner  — 
and  by  that  I  mean  Google 
serving  up  applications, 
Word  documents,  spread¬ 
sheets,  and  the  like  —  but  it 
wasn’t  quite  ready  at  that 
point  and  I  wasn’t  willing  to  take  the  risk. 

I  was  pulled  to  Exchange  because  of  the  entire 
Microsoft  suite  —  not  only  Exchange,  but  MOSS 
[Microsoft  Office  SharePoint  Server],  LiveMeeting, 
SCCM  [System  Center  Configuration  Manager], 
six  or  seven  products  —  and  I  felt  that  would  give 
us  a  good  jumpstart  on  integration  with  the  infra¬ 
structure  and  with  non-Microsoft  and  business- 
critical  systems  and  applications. 

We  made  the  decision  to  go  with  Exchange  in 
January  2008,  and  went  live  Aug.  18. 

We  are  running  13  virtual  servers  in  our 
Exchange  environment  with  1,000  users  on  three 
physical  hosts.  We  use  VMware  ESX  server  con¬ 
nected  to  Apple  Xserve  RAID  storage. 

The  Exchange  environment  has  outperformed 
our  expectations.  The  virtualization  piece  really 
makes  the  servers  easier  to  manage  from  an 
administrator’s  standpoint. The  learning  curve  for 
our  employees  has  been  minimal,  and  they  are 
able  to  do  things  in  Outlook  that  were  not  possi¬ 
ble  in  the  old  system. 

For  example, the  way  we  archive  emails  for  legal 
purposes  is  more  streamlined  now.  At  a  job  site, 
what  used  to  take,  say  an  hour,  now  takes  10  min¬ 
utes.  And,  before  when  users  archived  documents 
out  at  a  job  site,  they  never  knew  what  was  hap¬ 
pening.  Now  they  see  a  progress  bar.  That  was  a 
huge  productivity  gain  for  us  on  the  project  — 
and  a  very  important  one  at  that. 

See  Faves,  page  28 
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5.  Sophos’  Endpoint  and  Security  Control  software 

John  Endahl,  senior  information  security  administrator  at  Tech  Team  Global, 
in  Southfield,  Mich. ,  says  ...  g 


roaucts 


When  I  first  came  into 
the  organization  five  years 
ago,  we  were  using  another 
company’s  product.  It  was 
one  of  the  top  three  prod¬ 
ucts,  but  we  kept  having 
issue  after  issue  with  it  and 
the  support  was  absolutely 
horrible.  When  it  came  time  to  renew  our 
contract  three  years  ago,  we  could  pay  almost 
double  the  cost  for  a  better  support  contract, 
or  we  could  switch  to  different  product. 

We  started  a  six-month  process  of  evaluat¬ 
ing  products  based  on  our  criteria:  It  had  to 
be  simple  to  deploy  and  to  administer.  It 
had  to  have  decent  antispam  capabilities 
for  a  gateway  product.  It  had  to  have  good 
technical  support  —  which  is  really  why  we 
wanted  to  get  away  from  our  previous  ven¬ 
dor.  And  it  had  to  be  something  I  was  capa¬ 
ble  of  administering  on  a  day-to-day  basis. 
We’ve  got  offices  pretty  much  all  over  the 
world, and  we’re  still  expanding.  I  have  to  be 
able  to  look  at  what’s  going  on  at  all  these 
different  locations,  make  sense  of  a  prob¬ 
lem,  and  if  I’m  not  able  to  correct  it  imme¬ 
diately,  I  need  to  make  sure  I’ve  got  the  sup¬ 
port  behind  me  that  will  get  it  resolved 
quickly  In  the  final  analysis,  Sophos  had  all 
the  essential  pieces  without  making  the  prod¬ 


uct  so  technically  challeng¬ 
ing  that  we’d  have  problems 
rolling  it  out. 

What  won  me  over  from  a 
technical  standpoint  was 
Sophos’  updating  mecha¬ 
nism.  The  other  vendors 
released  weekly  or  daily 
updates  that  typically  would 
be  megabytes  in  size.  So 
every  time  an  update  came 
out,  we’d  be  downloading  a 
multi-megabyte  file  to  a  cen¬ 
tral  server  and  then  pushing 
that  file  out  to  every  single 
system  over  the  local  net¬ 
work.  With  Sophos,  new  definitions  get 
released  as  they’re  ready  to  go.  Sophos  typi¬ 
cally  releases  eight  to  10  definitions  a  day 
Those  definitions  are  very  small,  like  4K  each, 
which  makes  download  and  deployment 
much  quicker  and  easier  with  a  whole  lot  less 
network  overhead.  Because  those  definitions 
are  so  small,  we  can  have  our  systems  update 
every  15  minutes  with  no  impact  on  the  end- 
points.This  reduces  the  vulnerability  window 
against  any  new  or  emerging  threats. 

Over  last  three  years, Sophos  has  built  a  lot 
of  additional  functionality  into  the  product. 
It  has  rolled  out  application  control,  for 


example,  so  we  can  stop 
unauthorized  applications 
[like  games  or  some  busi¬ 
ness  tools]  from  running  on 
our  network.  It  has  also 
rolled  out  device  control, 
so  we  have  the  ability  to 
lock  down  USB  devices, CD- 
ROMs,  floppy  disks  and  so 
on,  to  keep  anything  nasty 
from  coming  in  from  that 
particular  attack  vector. 
And  it  recently  rolled  out 
network  access  control  as 
part  of  the  product.  Since 
all  this  added  functionality 
at  no  additional  cost  to  us,  that’s  a  return  on 
investment  we  can  really  appreciate  and 
show  to  our  vice  presidents. 

As  for  support,  normally  the  phone  gets 
answered  within  the  first  four  or  five  rings, 
and  I  have  a  tough  time  getting  the  person 
off  the  phone  till  that  person  has  resolved 
the  issue.  ...  I’ve  been  amazed  and 
impressed  with  the  depth  of  knowledge 
every  support  person  I’ve  talked  to  has 
about  the  inner  workings  of  the  product. 
They  get  in  there,  know  exactly  what  an 
error  message  means  and  know  where  to 
go  from  there. 
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6.  Cisco  Aironet  1142  wireless  access  point 

Erik  Parker,  a  senior  infrastructure  analyst  at  Toyota  Motor  Sales,  in  Torrance,  Calif,  says  . . . 


We  have  about  2,800  access  points  deployed 
across  the  country  The  bulk  of  them  are  installed  in 
warehouses,  which  is  strictly  for  parts  picking.  But 
we  also  have  them  in  all  of  our  regional  sales 
offices  for  general  usage  —  laptops,  guest  access 
and  for  some  specialty  devices;  our  service  training 
division;  and  our  campus  wireless,  which  covers 
the  22  buildings  here.TTie  campus  wireless  is  used 
primarily  by  our  guests,  because  we  have  so  many  vendors  and  con¬ 
sultants  on  campus,  and  then  secondarily  by  associates. 

On  campus,  where  we’ve  got  tons  of  file  sharing, 
larger  applications,  streaming  video,  things  like 
that,  the  802.1  In  wireless  network  is  the  first 
technology  that’s  really  allowing  us  to  consid¬ 
er  no  longer  running  wires  to  the  desktop. 

The  throughput  of  802.1  lg  just  wasn’t  quite 
high  enough.  But  now  the  n-based  access 
points  are  pretty  much  giving  us  the  same 
throughput  as  a  hard-wired  100Mbps  link, 
while  using  a  40MHz  channel  width. 

We  originally  started  testing  with  the  1252s, 
which  is  the  ruggedized  “n”  access  point  and  we 
saw  phenomenal  speeds.  When  we  got  the  first 
1 142  in  for  testing,  we  saw  the  same  types  of  speeds, 
but  the  1 142  has  a  couple  of  big  advantages  over  the 
1252  for  the  office  area.  One,  it  has  an  integrated 


antenna  so  it  can  be  placed  above  the  ceiling  tile  and,  two,  it  runs  off 
of  normal  802. 3af  power. The  1 142  is  nice;  we  just  plug  it  into  our  stan¬ 
dard  Catalyst  6500  or  Catalyst  3750  PoE  chassis  and  it  powers  up  per¬ 
fectly  and  starts  servicing  clients  and  connects  to  the  controller. 

The  1 142’s  beamforming  is  one  feature  that  is  extremely  cool,  but 
because  of  our  quick  life  cycle  of  being  able  to  retire  old  protocols  we 
won’t  get  a  lot  of  benefit  out  of.  If  you  take  away  all  the  marketing  terms 
and  fluff  and  read  the  technology  behind  beamforming,  it’s  really 
incredible.  It  lets  us  get  higher  speeds  to  our  “g”  clients 
because  we’re  able  to  offer  them  a  better  signal-to-noise 
ratio  overall.  I  know  beamforming  is  part  of  the  stan¬ 
dard,  as  an  optional  piece,  but  how  Cisco  is  doing  it 
[in  silicon]  is  cool.  When  you  look  at  how  many 
-  clients  have  so-so  signal-to-noise  ratios,  increasing 
those  will  provide  a  huge  benefit. 

We  have  the  1142  running  in  a  test  environment 
currently  The  first  site  rolling  out  all  n-based  wire¬ 
less  network  is  coming  up  the  first  week  in  March. 
That’s  a  small  remote  service  training  site,  so  it’ll 
only  get  about  a  dozen  access  points.  By  the  end 
of  this  year,  we’ll  probably  have  about  50  1 142s 
-Mfff  deployed,  mostly  here  on  campus  —  between  the 
Wjf  two  engineering  buildings  —  and  then  by  the  end 
of  next  year  we’ll  have  450  deployed,  which  will  be  all 
of  campus.  Once  we're  done,  we'll  be  looking  at  about 
900  users  moving  to  802.1  In. 
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•  Rack  mount  up  to  three  across  qi7  MR . <1'70l. 

•  Supports  all  commercial  analysis  systems  3  u  v  B . * 


■  Also  works  with  open-source  tools 


1 1 GB. 
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MINIMIZE  DOWNTIME 

and  keep  your  business  running 


Monitor: 

•  Temperature  •  Humidity  •  Power  Failure 
•  Water  on  the  Floor  •  Physical  Security 
•  Video  •  Smoke  &  Fire 

Notification: 
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Server  Technology 

Solutions  for  the  Data  Center  Equipment  Cabinet 


>  High  Power  Distribution: 

208V  3-Phase  30A/60A  or  400V  3-Phase  1 6A/32A 

>  Flexible  Mounting: 

Zero  U  or  Modular  mounting  inside  the  cabinet 

>  Delta  or  Wye  In-Feeds: 

Wye  in-feeds  can  also  provide  120V  power  outputs 

>  Multiple  Outlet  Types: 

IEC  Cl  3,  Cl  9  &  NEMA  5-20R  outlets  in  multiple 
configurations 

>  Local  Current  LED's: 

Verification  of  input  current  and  for  load  balancing. 

^Environmental  Monitoring: 

External  temperature  &  humidity  probes. 

>  Linking: 

Links  (2)  units  with  (1)  IP  address  for  Remote  Monitoring 

S>  Remote  Control,  Monitoring  and  Security: 

Web  interface,  SSL,  SSH,  Telnet,  SNMP,  FTP,  SNTP,  Syslog/ 
,  LDAP  &  LDAPS,  TACACS+ &  RS-232  access 
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Security  guru  pushes  DNS  patching 


BY  CARA  GARRETSON 

WASHINGTON,  D.C.  —  Dan  Kaminsky  who 
for  years  was  ambivalent  about  securing  DNS, 
has  become  an  ardent  supporter  of  DNS 
Security  Extensions. 

Speaking  at  the  Black  Hat  DC  2009  confer¬ 
ence  last  week,  the  prominent  security  re¬ 
searcher  told  the  audience  that  the  lack  of  DNS 
security  not  only  makes  the  Internet  vulnera¬ 
ble,  but  is  also  crippling  the  scalability  of  im¬ 
portant  security  technologies. 

“DNS  is  pretty  much  our  only  way  to  scale 
systems  across  organizational  boundaries,  and 
because  it  is  insecure  it’s  infecting  everything 
else  that  uses”  DNS,  the  fundamental  Internet 
protocol  that  provides  an  IP  address  for  a  given 
domain  name,  said  Kaminsky  director  of  pene¬ 
tration  testing  at  IOActive.“The  only  group  that 
has  actually  avoided  DNS  because  it’s  insecure 
are  security  technologies,  and  therefore  those 


technologies  aren’t  scaling.” 

Kaminsky  began  promoting  DNSSEC  last 
summer,  following  his  discovery  of  a  significant 
DNS  flaw  —  known  as  the  Kaminsky  Bug  — 
where  cache  poisoning  attacks  allow  a  hacker 
to  redirect  traffic  from  a  legitimate  Web  site  to 
a  fake  one  without  users  realizing  it.  DNSSEC 
attempts  to  prevent  spoofing  attacks  by  allow¬ 
ing  Web  sites  to  verify  their  domain  names  and 
corresponding  IP  addresses  using  digital  signa¬ 
tures  and  public-key  encryption. 

Even  though  key  operating  system  vendors 
—  including  Sun,  Cisco  and  Microsoft  —  re¬ 
leased  patches  to  temporarily  fix  the  flaw, 
Kaminsky  said  DNS  security  has  not  been 
widely  adopted. 

The  U.S.  government,  for  example,  missed  its 
January  deadline  for  rolling  out  DNSSEC  on 
the  .gov  top-level  domain,  and  is  aiming  to 
complete  the  task  by  the  end  of  February  and 


to  patch  all  subdomains  by  December. 

One  roadblock  to  DNSSEC  adoption  is  that  it 
isn’t  easy  to  implement,  Kaminsky  admits,  and 
calls  for  coordination  by  many  parties. 
DNSSEC  requires  domain  name  registrars, 
domain  name  registries,  ISPs  and  users  to  up¬ 
grade  their  software. 

Still,  Kaminsky  said  DNSSEC  offers  the  most 
feasible  solution  to  a  serious  threat. 

“We  need  to  put  out  the  immediate  fire,”  he 
said.  “We  should  stop  arguing  whether  DNS 
should  be  used  for  security  and  [just]  use  it  for 
security  because  it  scales.” 

Kaminsky  stressed  the  importance  of 
securing  not  only  DNS  servers  on  the 
Internet,  but  those  behind  firewalls  as  well. 
This  is  because  Web  applications  such  as  e- 
mail  and  browsers  can  be  manipulated  to 
perform  DNS  lookups,  and  therefore  are  vul¬ 
nerable  to  penetration.  ■ 


Cloud  security  fears  are  overblown 


BY  JAMES  NICCOLAI,  IDG  NEWS  SERVICE 

It  may  sound  like  heresy  but  it’s  possible  to 
worry  a  little  too  much  about  security  in  cloud 
computing  environments,  speakers  at  IDC’s 
Cloud  Computing  Forum  said  last  week. 

Security  is  the  No.  1  concern  cited  by  IT  man¬ 
agers  when  they  think  about  cloud  deploy¬ 
ments,  followed  by  performance,  availability 
and  the  ability  to  integrate  cloud  services  with 
in-house  IT,  according  to  IDC’s  research. 

Keeping  data  secure  is  critical,  but  compa¬ 
nies  need  to  be  realistic  about  the  level  of 
security  they  achieve  inside  their  own  busi¬ 
ness,  and  how  that  might  compare  with  a 
cloud  provider  such  as  Amazon  Web  Services 
or  Salesforce.com, speakers  said. 

‘A  lot  of  security  objections  to  the  cloud  are 
emotional  in  nature,  it’s  reflexive,”  said  Joseph 
Tobolski,  director  for  cloud  computing  at 
Accenture.  “Some  people  create  a  list  of 
requirements  for  security  in  the  cloud  that  they 
don’t  even  have  for  their  own  data  center” 

That  was  the  experience  of  Doug  Menefee, 
CIO  at  Schumacher  Group,  which  provides 
emergency  room  management  services  to 
hospitals.  The  company  is  migrating  most  of 
its  applications  to  hosted,  cloud-based  ser¬ 
vices. 

“My  IT  department  came  to  me  with  a  list  of 
100  security  requirements  and  I  thought, Wait  a 
minute,  we  don’t  even  have  most  of  that  in  our 
own  data  centerf  he  said. 

Schumacher  Group  takes  security  seriously, 
Menefee  said,  but  as  a  midsize  company  with 
only  three  IT  staff  working  full  time  on  security, 
he  trusts  large  cloud  providers  to  do  it  better. 
“We  get  the  same  level  of  security  with  Sales- 


force.com  as  any  large  company  using  that  ser¬ 
vice,”  he  said. 

Schumacher  Group  stores  sensitive  data  only 
with  providers  that  comply  with  the  Health  In¬ 
surance  Portability  and  Accountability  Act 
(HIPPA),  Menefee  said.  He  recently  started  a 
project  to  deploy  Google’s  online  productivity 
tools,  but  Google  is  not  HIPPA-certified,“so  no 
patient  data  gets  stored  there,”  he  said. 

Schumacher  Group  is  not  a  publicly  traded 
company  he  noted,  and  its  legal  requirements 
for  security  are  less  complex  than  for  public 
entities.  Some  large  enterprises,  especially  in 
areas  like  finance,  will  have  greater  concerns 
about  security,  noted  Jean  Bozman,  an  IDC 
research  vice  president. 

Still, one  audience  member  admitted  that  the 
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idea  was  “counterintuititive”  and  that  security 
concerns  may  actually  drive  companies  into 
the  cloud.  “If  you  go  to  the  RSA  [security]  con¬ 
ference,  the  major  vendors  will  tell  you  every 
year  that  their  next  release  will  solve  all  these 
security  problems  that  you  have  today  But  they 
never  do,”  he  said. 

Frank  Gens,  IDC’s  chief  analyst,  offered  a  defi¬ 
nition  of  cloud  computing:  “Shared  services, 
under  virtual  management,  accessible  over  the 
Internet  by  people  and  other  services  via 
Internet  standards.”  Some,  but  not  all,  are 
offered  on  a  self-service  basis,  he  said. 

IDC  revisited  its  projections  for  all  areas  of  IT 
after  the  recession  set  in,  and  cloud  computing 
was  almost  the  only  one  for  which  its  projec¬ 
tion  increased,  Gens  said.B 
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New  Zealand  gets  insane  copyright  law 


Organized  crime  is everywhere.There’s the 
Sicilian  Cosa  Nostra,  the  American  Mafia 
and  the  Russian  Mafia. There’s  also  the 
Japanese  Yakuza  and,  until  they  got  so  wealthy 
from  their  realty  holdings  and  legitimate  busi¬ 
nesses  they  couldn’t  afford  to  be  outside  of  the 
law,  the  Irish  Sinn  Fein. 

The  cynical  among  us  might  also  include  the 
barons  of  Wall  Street  and  the  cartels  that  control 
oil  (OPEC)  and  diamonds  (DeBeers),  along  with  the  U.S.  health  insur¬ 
ance  industry  (how  they  avoid  being  taken  to  court  for  their  antitrust 
activities  is  a  source  of  endless  surprise  to  me). 

There’s  another  type  of  organization  whose  actions  border  on  crimi¬ 
nal  and  are  particularly  dangerous  to  Internet  users.  I’m  talking  about 
the  various  groups  around  the  globe  that  claim  to  represent  the  music 
recording  industry 

These  groups  represent  huge  private  corporations  such  as  record 
labels  and  distributors  and  are  remarkably  powerful.  One  such  outfit, 
the  Recording  Industry  Association  of  New  Zealand  (RIANZ),has  just 
achieved  something  so  outrageous,  so  stupendously  immoral,  that  it 
bears  careful  consideration. 

Here’s  the  story:  A  law  was  recently  passed  in  New  Zealand  that  has 
created  what  many  consider  to  be  the  world’s  harshest  copyright  en¬ 
forcement  law. This  insanity,  found  in  Sections  92A  and  C  of  New 
Zealand’s  Copyright  Amendment  Act  2008  establishes  —  and  I  am  not 
making  this  up  —  a  guilt  upon  accusation  principle!  This  means  that 
anyone  accused  of  “copyright  infringement”  will  get  his  Internet  con¬ 
nection  cut  off;  and  they  will  be  treated  as  guilty  until  proven  innocent. 

And  if  that  weren’t  enough,  this  crazy  legislation  defines  anyone  pro¬ 
viding  Internet  access  as  an  ISP  and  makes  them  responsible  for  moni¬ 
toring  and  cutting  off  Internet  access  for  anyone  who  uses  their  ser¬ 


vices  and  is  accused  of  copyright  violations.Thus  libraries,  schools,  cof¬ 
fee  shops,  cafes  —  anyone  offering  any  kind  of  Internet  access  —  will 
be  considered  ISPs  and  become  responsible  and  potentially  liable. 

How  could  this  ridiculous  idea  have  become  law  in  one  of  the 
nicest,  most  civilized  countries  I’ve  ever  visited? 

The  answer  is  that  it  is  the  result  of  immense  pressure  from  RIANZ.  In 
much  the  same  way  that  the  Recording  Industry  Association  of 
America  (RIAA)  has  used  its  massive  legal  resources  to  bully  harass 
and  prosecute  individuals  alleged  to  have  infringed  copyright,  RIANZ 
lobbied  and  somehow  persuaded  New  Zealand’s  parliament  that  the 
law  was  just,  reasonable  and  the  right  thing  to  do. 

Consider  that  similar  proposals  have  not  only  been  rejected  by  the 
European  Union,  but  have  resulted  in  an  amendment  that  prohibits 
member  states  from  implementing  laws  that  would  allow  the  discon¬ 
nection  of  people  accused  of  file-sharing  based  on  the  often  dubious 
“evidence”  of  anti-piracy  groups. 

This  amendment  —  which  states  that  any  such  legislation  “discon¬ 
necting  alleged  file-sharers  based  on  evidence  from  anti-piracy  lobby 
groups  restricts  the  rights  and  freedoms  of  Internet  users” —  put  in  a 
timely  appearance  given  the  British  Phonographic  Industry  (BPI)  has 
been  lobbying  hard  for  such  laws  and  the  French  government  was  on 
the  verge  of  implementing  a  bill  similar  to  New  Zealand’s. 

It  seems  that  all  of  these  industry  meta-groups,  the  RIANZ,  the  BPI,  and 
our  own  RIAA,  just  can’t  accept  that  they  have  a  problem  that  can’t  be 
fixed  the  way  they  want  it  to  be  fixed.  Instead  they  resort  to  politics  and 
bullying  to  get  what  they  want  and  it  seems  that  many  governments  are 
willing  to  go  along.  How  long  before  we  see  a  U.S.  law  that  mirrors  the 
New  Zealand  law? 

Gibbs  is  somewhat  cynical  in  Ventura,  Calif.  Send  your  suspicions  to 
backspin@gibbs.  com. 
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Social  networks  vary  on  reliability 
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That  Twitter  had  more  downtime  last  year 
(84  hours)  than  any  of  15  social  network 
sites  measured  by  an  uptime  monitoring 
service  should  surprise  no  one:  The  site’s  “fail 
whale”  is  so  famous  it  was  just  featured  in  the 
New  York  Times. 

However,  what  may  surprise  some  Twitter 
users  and  industry  observers  —  me,  for  exam¬ 
ple  —  is  that  the  site’s  availability  performance 
showed  dramatic  improvement  over  the  sec¬ 
ond  half  of  2008,  according  to  Pingdom. 

The  same  cannot  be  said  for  Linkedln,  which  appears  to  have  caught 
a  case  of  whatever  had  been  knocking  Twitter  offline  so  regularly 
Those  are  a  few  of  the  findings  from  “Social  Network  Downtime  in 
2008”, a  report  out  last  week  that  covers  Facebook,  MySpace, Linkedln, 
Twitter,  Friendster,  LiveJournal,  Orkut,  Bebo,  Hi5,  Windows  LiveSpaces, 
Last.fm,  Classmates.com,  Reunion.com,  Xanga  and  eight  months  worth 
of  performance  from  Imeem. 

Five  from  that  group  —  including  heavyweights  MySpace  and  Face 
book  —  recorded  outstanding  uptime  records  of  99.9%  or  better;  the 
other  three  being  Classmates.com,  Xanga  and  Imeem. 

“The  survey  reveals  several  interesting  trends,” says  Pingdom’s  Peter 
AlguaciU’For  example,  a  full  84%  of  Twitter’s  downtime  came  during 
the  first  half  of  2008,  when  the  service  was  still  struggling  with  stability 
issues.  July  and  onward  has  seen  a  significant  improvement  for  the  ser¬ 
vice.  Linkedln,  on  the  other  hand,  is  having  the  opposite  problem.  Each 
quarter  showed  a  larger  amount  of  downtime  for  Linkedln  than  the 
previous  one.” 

Linkedln  had  45.8  hours  of  downtime  last  year,  second  only  to  Twitter 
on  the  dubious  distinction  scale. Their  public  relations  department  did¬ 


n’t  respond  to  my  request  for  comment. 

Third  most  often  offline  was  Friendster,  which  logged  the  most 
lengthy  downtime  episode  —  23  hours  over  three  days  in  November 
—  thus  marring  an  otherwise  middle-of-the-pack  uptime  record. 

My  takeaway:  I’m  going  to  lighten  up  on  Twitter.  ...And  perhaps  those 
of  you  who  use  Linkedln  can  keep  an  eye  on  them  for  me. 

They  won't  take  good-bye  for  an  answer 

I  learned  to  steer  clear  of  LendingTree.com  three  years  ago  when  my 
search  for  a  mortgage  delivered  nothing  but  spam.  When  I  say  I’m 
done  with  them,  however,  that’s  just  an  expression,  as  readers  of  Buzz- 
blog  learned  last  week  as  I  passed  along  a  tale  of  woe  from  a  friend 
that  redefines  the  phrase  “customer-retention  program.” 

This  was  the  introduction:“Thinking  about  putting  LendingTree.com 
to  work  for  you  (you  know,  the  ‘When  Banks  Compete  You  Win’  folks)? 
Think  again. Tried  the  service  for  a  car  loan  and  when  they  couldn’t 
find  anyone  that  wanted  to  loan  me  anything  (which  is  a  frightening 
glimpse  into  the  state  of  the  financial  world  since  I  have  little  debt  and 
an  excellent  credit  history)  I  went  to  close  the  account.  But  there  is 
nothing  on  the  site  about  how  to  do  that.  So  I  tried  the  customer  chat 
option.  Here’s  the  transcript:” 

Eight  back-and-forths  plus  a  supervisor  later  we  get  the  bottom  line: 
No  can  do;  my  guy  is  told  they  cannot  deactivate  his  account. 

The  good  news  is  that  Buzzblog  readers  leapt  to  the  fore  with  work¬ 
arounds,  and  one  even  reported  having  just  gotten  LendingTree  to  do 
for  him  that  which  it  said  could  not  be  done.  All  in  all,  good  fun,  and 
you  can  read  the  entire  transcript  and  string  of  comments  at 
www.nwdocfinder.com/8836. 

You  can  add  your  own  there  or  here:  buzz@nww.com. 
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1,200,000 

TRANSACTIONS  PER  MINUTE. 

DONE. 


Introducing  the  world’s  fastest  x86-64  server.  The  IBM  System  x3950  M2  with  eX4  technology, 
Intel®  Xeon®  7400  series  processors  and  IBM  DB2®  has  set  a  new  performance  record.  IBM 
has  built  the  first  x86-64  system  to  break  the  one-million-transactions-per-minute  barrier! 
It’s  a  new  standard  in  performance  that  improves  efficiency  and  can  help  save  money  in 
transaction  and  database  processing.  Find  out  how  it  can  help  you  keep  pace  in  a  faster 
world  at  ibm.com/systems/fastest  STOP  TALKING  START  DOING™ 


Xeon 

inside " 

S  |  M 

Powerful. 

Efficient. 


'IBM  System  x3950  M2  with  the  Intel  Xeon  Processor  X7460  (2.66GHz  8  processors/48  cores/48  threads),  1,200,632  tpmC,  $1.99  USD  /  tpmC,  availability  as  of  December  10,  2008.  Results  referenced 
are  current  as  of  August  19,  2008.  To  view  all  TPC  benchmark  results,  visit  www.tpc.org.  TPC,  TPC-C  and  tpmC  are  trademarks  of  the  Transaction  Processing  Performance  Council.  IBM.  the  IBM  logo, 
System  x,  ibm.com,  DB2  and  STOP  TALKING  START  DOING  are  trademarks  of  International  Business  Machines  Corporation,  registered  in  many  jurisdictions  worldwide.  A  current  list  of  IBM  trademarks  is 
available  on  the  Web  at  "Copyright  and  trademark  information"  at  www.ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  Logo,  Xeon,  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel 
Corporation  in  the  United  States  and  other  countries.  ©  2009  IBM  Corporation.  All  rights  reserved. 


Deal  with  the  virtual  — 
and  reality. 


ALTERNATIVE  THINKING  ABOUT  CONTROL  AND  CONSOLIDATION: 


Manage  and  optimize  your  virtual  and  physical  servei 


in  the  same  way  with  HP  Insight  Dynamics  —  VSE 

#  w  9 


When  it  comes  to  IT,  your  universe  is  always  expanding.  Needs  increase, 
resources  are  stretched  and  options  can  be  limited.  But  now,  you  can  rethink 
how  you  control  and  optimize  your  physical  and  virtual  servers  by  integrating 
them  with  one  powerful  software  solution.  Insight  Dynamics  — VSE.  Now  you 
can  increase  flexibility,  improve  cost  and  energy  efficiency,  and  simplify 
daily  operations. 


Supporting  this  technology  is  HP's  commitment  to  service  and  dependability  — 
a  point  of  difference  that  led  IDC  to  name  HP  the  #1  vendor  for  virtualization* 


Technology  for  better  business  outcomes. 


•  Quad-Core  AMD  Opteron™  Processor, 
with  AMD  Virtualization™  technology 

•  Infrastructure-in-a-box  saves  you  time, 
power  and  money  by  reducing  repetitive 
parts  and  redundant  operations 

•  Add,  replace  and  recover  resources  on 
the  fly  without  rewiring 


Quad-Core  AMD  Opteron™  Processor, 
with  AMD  Virtualization™  technology 

Ideal  for  general-purpose  solutions  and 
high-performance  computing 

Affordable,  modular  rack  systems  to 
give  your  IT  department  the  flexibility 
to  expand  with  your  business 


AMD 

Opteron 


m 


To  learn  more,  call  1-888-277-5467  or  visit  hp.com/servers/virtuall2 


'  ’*0,  the  AMD  arrow  logo,  AMD  Opteron  and  combinations  thereof,  are  trademarks  of  Advanced  Micro  Devices,  Inc. 

2009  Hewlett-Packard  Development  Company,  L.P.  The  information  contained  herein  is  subject  to  change  without  notice, 
-ource:  IDC  Quarterly  Server  Virtualization  Tracker,  October  2008. 


